[Samba] winbind backend ad not working

Rowland Penny rpenny at samba.org
Wed Oct 26 14:17:09 UTC 2016 

On Wed, 26 Oct 2016 16:02:08 +0200
Stefan Kania via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> after a classicupgrade from samb3 with openldap we want to set up a 
> samba-fileserver. We would like to user the winbind ad backend. So we 
> configured the smb.conf with the following settings:
> -----------------
> 
> --------# Global parameters
> [global]
>          bind interfaces only = Yes
>          interfaces = 192.168.56.102
>          realm = EXAMPLE.DE
>          workgroup = EXAMPLE
>          registry shares = Yes
>          security = ADS
>          template shell = /bin/bash
>          winbind enum groups = Yes
>          winbind enum users = Yes
>          winbind nss info = rfc2307
>          winbind refresh tickets = Yes
>          winbind use default domain = Yes
>          idmap config EXAMPLE : schema_mode = rfc2307
>          idmap config EXAMPLE : range = 1001 - 200000
>          idmap config EXAMPLE : backend = ad
>          idmap config * : range = 1000000 - 1999999
>          idmap config * : backend = tdb
>          store dos attributes = Yes
>          inherit acls = Yes
>          vfs objects = acl_xattr
> ---------
> 
> All users in AD have a unique uidNumber and all the other 
> Unix-Attributes, but no uid-Attribute. All uidNumbers are insite the 
> range configured in smb.conf.
> But we will not get any user listed with "getent passwd". We tried to 
> switch to winbind backend rid then everything is working. All users
> are listed. Here the smb.conf
> with the backend rid:
> ---------
> [global]
>          workgroup = EXAMPLE
>          realm = EXAMPLE.DE
>          security = ADS
>          winbind use default domain = yes
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind refresh tickets = yes
>          template shell = /bin/bash
>          idmap config * : range = 10000 - 19999
>          idmap config EXAMPLE : backend = rid
>          idmap config EXAMPLE : range = 1000000 - 1999999
>          inherit acls = yes
>          store dos attributes = yes
>          vfs objects = acl_xattr
>          interfaces = 192.168.56.102
>          bind interfaces only = yes
> ---------
> Even with log level 3 we didn't get any errormessage. Were should we 
> look next, or what is wrong in our configuration.
> 
> Stefan
> 

Have you given 'Domain users' a gidNumber attribute containing a number
inside '1001 - 200000' ??

Rowland

More information about the samba mailing list