[Samba] Samba Member Server, Winbind

Rowland penny rpenny at samba.org
Thu Jan 28 20:14:28 UTC 2016 

On 28/01/16 19:56, Oliver Werner wrote:
> Hello,
>
> I have add a new Samba Member Server to my domain successfully.
>
> I have configured Winbind and get the correct Output from wbinfo -u/-g
>
> getent passwd also works fine.
>
> But when type getent group command i will get only local groups.
>
> Mysteriously, I can put the ADS groups with the chgrp command.
> With ls -la command they are also shown after set on file or directory.
> The only thing is the getent group command does not show what i want.
>
> My smb.conf looks:
>
> [global]
>         netbios name = VL02
>         security = ADS
>         workgroup = HQ
>         realm = hq.local
>
>         log file = /var/log/samba/%m.log
>         log level = 1
>
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         winbind refresh tickets = yes
>
>         	winbind trusted domains only = no
>         	winbind use default domain = yes
>         	winbind enum users  = yes
>         	winbind enum groups = yes
> 	winbind cache time = 60
>
>
>         # Default idmap config used for BUILTIN and local accounts/groups
>         idmap config *:backend = tdb
>         idmap config *:range = 500-1299
>
>         # idmap config for domain HQKONTRAST
>         idmap config HQ:backend = ad
>         idmap config HQ:schema_mode = rfc2307
>         idmap config HQ:range = 1300-99999
>
>         # Use settings from AD for login shell and home directory
>         winbind nss info = rfc2307
>
>
> uidNumber of Users start on 10000 and gidNumber of Groups on 1300. So the IDs are in the range.
>
> Anyone knows the Problem or know how to fix?
>
> regards
>
> OLIVER WERNER
>
>
>

Firstly I wouldn't use '500' for the builtin start number, you now have 
nowhere for the Unix local users & groups, especially as most linux 
distros start ordinary users & groups at 1000. You also don't have to 
use a different range for the AD users and groups, can I suggest you add 
a '0' on the end of the AD gidNumber attributes and then change the 
range from '1300-99999' to '10000-99999'

Finally 'getent group' wont show anything on later versions of Samba, 
try 'getent group adomaingroup'

Rowland

More information about the samba mailing list