[Samba] samba4 as ADS member: some users visible, others not

Tue Dec 29 17:59:20 UTC 2015

On 29/12/15 17:30, Stefan G. Weichinger wrote:
> Am 2015-12-29 um 18:05 schrieb Rowland penny:
>> On 29/12/15 16:32, Stefan G. Weichinger wrote:
>>> I have to add a brand new fedora 23 server with samba 4.3.3 to an
>>> existing Windows ADS domain.
>>>
>>> The join is OK:
>>>
>>> # net ads testjoin
>>> Join is OK
>>>
>>> I use winbind as I still have to learn about sssd (and I am unsure which
>>> one to prefer).
>>>
>>> config (workgroup and realm edited):
>>>
>>> [global]
>>>      workgroup = customer
>>>      realm = my.customer
>>>      server string =
>>>      security = ADS
>>>      map to guest = Bad User
>>>      username map = /etc/samba/smbusers
>>>      map untrusted to domain = Yes
>>>      load printers = No
>>>      printcap name = /dev/null
>>>      disable spoolss = Yes
>>>      template shell = /bin/bash
>>>      winbind enum users = Yes
>>>      winbind enum groups = Yes
>>>      winbind use default domain = Yes
>>>      winbind nss info = rfc2307
>>>      idmap config customer:range = 10000-999999
>>>      idmap config customer:schema_mode = rfc2307
>>>      idmap config customer:backend = ad
>>>      idmap config *:range = 2000-9999
>>>      idmap config * : backend = tdb
>>>      force create mode = 0664
>>>      force directory mode = 0775
>>>      printing = bsd
>>>      level2 oplocks = No
>>>
>>> ---
>>>
>>> issues:
>>>
>>> wbinfo -u
>>> wbinfo -g list all users and groups from ADS
>>>
>>> getent passwd only gives me around 20 users from ADS ...
>>>
>>> -> some users get access to shares, some not!
>>>
>>> I assume this has to do with "idmap config customer:range" ?
>>>
>>> How to determine the values of the max ids?
>>>
>>> Do I have to "reset" some mappings after changing this parameter?
>>>
>>> What else to check for?
>>>
>>> thanks for any help on this, Stefan
>>>
>> The only mappings you should have, are the ones for the 'builtin' users
>> & groups, all the others should have a uidNumber or gidNumber attribute
>> in AD, these should be between '10000-999999'
>> I would also recommend you remove these lines:
>>
>> force create mode = 0664
>> force directory mode = 0775
> I agree, sure.
>
>> They really only belong in a share, but you should be using Posix ACLs
>> anyway.
>>
>> If a user isn't shown by getent, then they are unknown to the OS and
>> will not be able to access shares unless the share also allows guest
>> access.
> So I understand you suggest to use this instead ?
>
> ->
>
> [global]
> 	workgroup = CUSTOMER
> 	realm = MY.CUSTOMER
> 	server string =
> 	security = ADS
> 	map to guest = Bad User
> 	username map = /etc/samba/smbusers
> 	map untrusted to domain = Yes
> 	load printers = No
> 	printcap name = /dev/null
> 	disable spoolss = Yes
> 	template shell = /bin/bash
> 	winbind enum users = Yes
> 	winbind enum groups = Yes
> 	winbind use default domain = Yes
> 	winbind nss info = rfc2307
> 	idmap config *:range = 2000-9999
> 	idmap config * : backend = tdb
> 	printing = bsd
> 	level2 oplocks = No
>
> I will test later as there are some users working (early evening here) ...
>
> thanks! Stefan
>

NO! This will give you precisely 0 users

config * == the range the 'builtin' users will be mapped to.
config customer == the range for all the domain users that have a 
uidNumber attribute. If a user doesn't have a uidNumber attribute 
containing a number inside the range set in smb.conf (in your case 
10000-999999) it will be ignored, the user will also be ignored if it 
doesn't have a uidNumber attribute. There is also another gotchya, the 
'Domain Users' group *must* have a gidNumber attribute inside the range, 
or all users will be ignored even if they have a uidNumber attribute.

This all boils down to, have you manually given your users & groups the 
required uidNumber & gidNumber attributes ? they are not added 
automatically, they must be added manually.

Rowland