[Samba] AD Group lost from Winbind

Rowland penny rpenny at samba.org
Mon Feb 22 09:21:42 UTC 2016

On 22/02/16 08:32, Oliver Werner wrote:
> hi,
> we have tested last week our problem with change parameter
> server services = -winbindd +winbind
> but our member server get also the issue that the winbind lost user and group mapping for valid users.
> so for the test i have changed on our three DCs the parameter above.
> May i need to set this parameter on member server also?
> Oliver

OK, I have been rereading this thread and I think Louis may have been 
sending you off on a wild goose chase here, if the problem occurs on a 
domain member, it very probably has nothing to do with how smb.conf is 
setup on the DC.

What I did notice (and it is probably a typo) is this:

In domain member smb.conf:        realm = hq.internal

In DC smb.conf:
     path = /var/lib/samba/sysvol/hq.kontrast/scripts

Which is it ? 'hq.internal' or 'hq.kontrast'

You should also add these lines to the smb.conf on the domain member:

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

Have you given a uidNumber attribute to users in AD and if you have, 
does this include Administrator ?
Have you given a gidNumber attribute to groups in AD and if you have, 
does this include groups such as Administrators ?

To be honest it sounds like the kerberos ticket could be expiring and 
not getting renewed.


More information about the samba mailing list