[Samba] Samba4 Domain Member Server "Getent show diferents UID"

Rowland penny rpenny at samba.org
Wed Jun 15 18:27:31 UTC 2016

On 15/06/16 18:55, Juan Ignacio wrote:
> The UID of the users in the command output: "getent passwd" remain 
> different in the member server.
> I give to the user uanaco a gid and a uid throw RSAT.

OK, this is me on a DC:

root at dc2:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

and this is me an a domain member:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

I have added the required RFC2307 attributes to my AD object and 
libnss_winbind is setup correctly.

> root at memberserver:/usr/local/samba/etc# getent passwd | less
> uanaco:*:100642:100008:uanaco:/home/ADSERVER/uanaco:/bin/false
> There is a service besides winbindd need to be running on the member 
> server?
> I'm currently running all manually, "nmbd, smbd, samba, winbindd"
> The startup script here I did not work properly on Debian.

You should not be running all of them on a domain member, turn off 
'samba', this should only be run on a DC and this will start any other 
required binaries.

> https://wiki.samba.org/index.php/Samba4/InitScript

Download the debian samba packages and extract the 'smbd', 'nmbd' and 
'winbindd' init scripts, now alter the paths in them to match where your 
Samba binaries are.

> How can we verify that the AD Domain Controller is using the RFC2307 
> attribute correctly?
> How can we verify that the Member server is using the RFC2307 
> attribute and receiving data?

If every thing is set up correctly, you should get the same IDs 
everywhere on Linux, see above, if you are not getting the same UIDs on 
DCs & domain members, then it sounds like something is incorrectly set up.

You say that you gave your user a uidNumber, is this number inside the 
domain range in the domain member smb.conf, the relevant line in my 
smb.conf is:

  idmap config SAMDOM : range = 10000-999999

if it isn't, it will be ignored.

Have you given the 'Domain Users' group a gidNumber attribute, if not, 
all Unix users will be ignored, again, this number needs to be inside 
the range.

Can you run 'pam-auth-update' on the domain member and post the result.


More information about the samba mailing list