[Samba] samba4 as ADS member: some users visible, others not
Stefan G. Weichinger
lists at xunil.at
Tue Dec 29 17:30:02 UTC 2015
Am 2015-12-29 um 18:05 schrieb Rowland penny:
> On 29/12/15 16:32, Stefan G. Weichinger wrote:
>> I have to add a brand new fedora 23 server with samba 4.3.3 to an
>> existing Windows ADS domain.
>> The join is OK:
>> # net ads testjoin
>> Join is OK
>> I use winbind as I still have to learn about sssd (and I am unsure which
>> one to prefer).
>> config (workgroup and realm edited):
>> workgroup = customer
>> realm = my.customer
>> server string =
>> security = ADS
>> map to guest = Bad User
>> username map = /etc/samba/smbusers
>> map untrusted to domain = Yes
>> load printers = No
>> printcap name = /dev/null
>> disable spoolss = Yes
>> template shell = /bin/bash
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind nss info = rfc2307
>> idmap config customer:range = 10000-999999
>> idmap config customer:schema_mode = rfc2307
>> idmap config customer:backend = ad
>> idmap config *:range = 2000-9999
>> idmap config * : backend = tdb
>> force create mode = 0664
>> force directory mode = 0775
>> printing = bsd
>> level2 oplocks = No
>> wbinfo -u
>> wbinfo -g list all users and groups from ADS
>> getent passwd only gives me around 20 users from ADS ...
>> -> some users get access to shares, some not!
>> I assume this has to do with "idmap config customer:range" ?
>> How to determine the values of the max ids?
>> Do I have to "reset" some mappings after changing this parameter?
>> What else to check for?
>> thanks for any help on this, Stefan
> The only mappings you should have, are the ones for the 'builtin' users
> & groups, all the others should have a uidNumber or gidNumber attribute
> in AD, these should be between '10000-999999'
> I would also recommend you remove these lines:
> force create mode = 0664
> force directory mode = 0775
I agree, sure.
> They really only belong in a share, but you should be using Posix ACLs
> If a user isn't shown by getent, then they are unknown to the OS and
> will not be able to access shares unless the share also allows guest
So I understand you suggest to use this instead ?
workgroup = CUSTOMER
realm = MY.CUSTOMER
server string =
security = ADS
map to guest = Bad User
username map = /etc/samba/smbusers
map untrusted to domain = Yes
load printers = No
printcap name = /dev/null
disable spoolss = Yes
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
idmap config *:range = 2000-9999
idmap config * : backend = tdb
printing = bsd
level2 oplocks = No
I will test later as there are some users working (early evening here) ...
More information about the samba