[Samba] Domain users can't browse or access shares

[Tim]

Hi Rowland,

I haven't seen a base_rid parameter in his smb.cfg. That's why I advised to correct the value down to 1000 just to give it a try.

I also had the problem of not getting any users with getent passwd with ad backend until I realized that all users must have a rfc2307 uid and must have a primary group in ad which also has a rfc2307 gid. The last thing is that what I missed.
Example:
Domain Users has got a gid of 10000 in ADUC Unix tab.
The users also have a uid set in Unix tab and have primary group set to domain users. The ad backend only serves these users where this two things are set to getent passwd.

Regards
Tim

Am 14. Februar 2015 10:41:11 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:
>On 14/02/15 07:36, Tim wrote:
>> You are using idmap module rid for your domain. I think getent passwd
>could not resolve anything because of your id range. I would try a
>range of 1000 (one thousand)-99999 and see what happens.
>> New users in AD start with a rid of 1000. Well known Users like
>administrator got their rid starting in the 500 range.
>>
>> You should think of using rfc2307.
>
>He was using the 'ad' backend and was getting nothing, so I advised him
>
>to change to the 'rid' backend.
>
>Samba, when using the 'rid' backend, calculates the users ID this way:
>
>ID = RID - BASE_RID + LOW_RANGE_ID
>
>which from his set up is:
>
>ID = RID - 0 + 10000
>
>So if a user has a RID of 1000
>
>ID = 1000 - 0 + 10000
>
>ID = 11000
>
>What I would try now is to add a couple of 9's to the high range and
>see 
>if this then shows any users i.e. change 'range=10000-99999' to 
>'range=10000-9999999'
>
>It might just be that *all* his users have RID's higher than 99999 and 
>if this is so, samba will never show them.
>
>Rowland
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba