[Samba] wbinfo works, id and getent don't

Rowland Penny rowlandpenny241155 at gmail.com
Fri Oct 16 08:05:29 UTC 2015 

On 16/10/15 00:00, David Bear wrote:
> This is a common thread and I'm wondering where they answer is.. I can see
> this theme posted many times -- recently here
> https://lists.samba.org/archive/samba/2015-May/191483.html and for which I
> was not able to find a solution
>
> The situation is this..
> Samba 4.2 compiled from source on ubuntu 14. server.
>
> Samba 4.2 AD DC is working great in sliced server.
>
> the samba member server joined fine. wbinfo -u  on the member server lists
> domain users. wbinfo -g lists domain groups.
>
> So far, great following this great how to at
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Thanks
> Roland...
>
> now the rub..
> id DomainUser -- no such user
> getent passwd lists local users, not domain users
>
> ok -- googling about this happens.. following this thread
> http://www.spinics.net/lists/samba/msg125293.html doesn't apply -- because
> nmbd starts fine.
>
> So, I'm hoping for some suggestions here.. Below is smb.conf and
> nsswitch.conf
>
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>
> # ### smb.conf
> # [global]
>
> netbios name = tcpm-srv1
> workgroup = IN
> security = ADS
> realm = IN.TRANSCITYPM.COM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config IN:backend = ad
> idmap config IN:schema_mode = rfc2307
> idmap config IN:range = 10000-99999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
>
> bind interfaces only = yes
> interfaces = em1
> log level = 5
> log file = /usr/local/samba/var/log.%m
>
> [share1]
> path = /home/fileserv1/share1
> read only = no
>
>
> any idea's???
>

Hi, do your users have a uidNumber attribute containing a unique number 
between 10000 to 999999 ?
Also, does 'Domain Users' have a gidNumber, again inside the 10000-99999 
range ?

These attributes *do not* exist as standard, you have to create them 
manually, either using the ADUC Unix Attributes tab or by directly 
editing AD, you cannot do this with samba-tool.

I did come up with a set of patches to make samba-tool work just like 
ADUC, but they were rejected because I was using deterministic numbers 
(I used 10000 as a start point, just like ADUC) and there was some talk 
of a better way of doing it, but then, as far as I can see, there has 
been talk of a better way of doing it since before samba 4 was released.

Rowland

More information about the samba mailing list