[Samba] How to join join Ubuntu desktop to AD

[Brian Candler]

On 09/12/2016 15:55, Rowland Penny wrote:
>> But did you give Domain Users a gid? If you don’t do that, winbind
>> and getent will not find any UNIX users (doesn’t matter if the users
>> have a uid and gid within the range you’ve specified in smb.conf).
>> It’s been a while since I had this problem - my memory is it’s not
>> clearly mentioned in the wiki at all.
>>
> It is mentioned on the wiki, to be precise here:
>
> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
>
> Do you think it needs more emphasis ?

I think there's plenty of emphasis now, but I think there is a part 
which is misleading:

 > To enable Samba to retrieve user and group information from Active 
Directory (AD):
 >
 > * Users must have at least the uidNumber and groups the gidNumber 
attribute set.

As far as I can tell there is no need at all to set the gidNumber on the 
user entry, at least not when using the winbind component of Samba.

By saying it has to be set, the implication is that it does something 
useful. So the admin sets e.g.

uidNumber: 1000
gidNumber: 1000

and is surprised when the user's primary group is the gidNumber from 
Domain Users (or that the user doesn't appear at all, if Domain Users 
has no gidNumber)

I think it would be clearer like this:

"To enable Samba to retrieve user and group information from Active 
Directory (AD):

* Users must have the uidNumber attribute set. When using the rfc2307 
winbind NSS info mode, user accounts must also have the loginShell and 
unixHomeDirectory set.

* The group which the user's PrimaryGroupID refers to (normally "Domain 
Users") must have the gidNumber attribute set.

* It is recommended that you do not change any user's primaryGroupID. 
Windows expects all the users primary group to be "Domain Users".  This 
implies that all Unix logins will use the same primary gid.

* The user and group IDs must be within the range configured in the 
smb.conf for this domain.
...etc"

Regards,

Brian.