[Samba] Samba Member Server, Winbind
rpenny at samba.org
Thu Jan 28 20:14:28 UTC 2016
On 28/01/16 19:56, Oliver Werner wrote:
> I have add a new Samba Member Server to my domain successfully.
> I have configured Winbind and get the correct Output from wbinfo -u/-g
> getent passwd also works fine.
> But when type getent group command i will get only local groups.
> Mysteriously, I can put the ADS groups with the chgrp command.
> With ls -la command they are also shown after set on file or directory.
> The only thing is the getent group command does not show what i want.
> My smb.conf looks:
> netbios name = VL02
> security = ADS
> workgroup = HQ
> realm = hq.local
> log file = /var/log/samba/%m.log
> log level = 1
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 60
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 500-1299
> # idmap config for domain HQKONTRAST
> idmap config HQ:backend = ad
> idmap config HQ:schema_mode = rfc2307
> idmap config HQ:range = 1300-99999
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
> uidNumber of Users start on 10000 and gidNumber of Groups on 1300. So the IDs are in the range.
> Anyone knows the Problem or know how to fix?
> OLIVER WERNER
Firstly I wouldn't use '500' for the builtin start number, you now have
nowhere for the Unix local users & groups, especially as most linux
distros start ordinary users & groups at 1000. You also don't have to
use a different range for the AD users and groups, can I suggest you add
a '0' on the end of the AD gidNumber attributes and then change the
range from '1300-99999' to '10000-99999'
Finally 'getent group' wont show anything on later versions of Samba,
try 'getent group adomaingroup'
More information about the samba