[Samba] Windows pre-requisites for login with winbind?

Mgr. Peter Tuharsky tuharsky at misbb.sk
Fri Aug 25 14:03:08 UTC 2017


I'm following this thread because I'm trying to use Linux member server
(Debian 9) and use Windows AD users in Linux (filesystem etc).

It seems I have working Kerberos and to a degree, Winbind too, because both

wbinfo -u

wbinfo -g

give me valid and complete results.

However I'm stuck with NIS.

First I attempted to use AD idmap with settings (smb.conf)

idmap config * : backend = tdb
idmap config * : range = 3000-9999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : schema_mode = rfc2307
idmap config DOMAIN : range = 10000-9999999
idmap_ldb:use rfc2307 = yes

winbind nss info = rfc2307
winbind use default domain = true
winbind enum users = yes
winbind enum groups = yes

When I issue

#getent group

I get only few groups with nonempty gidnumber attribute. This I can
understand, but

#getent passwd

dosen't bring me any AD user, althought they all have valid uidnumber
attribute that is well inside the idmap range.

Now, I also try to use RID, as it seems better to go this way, however
it dosen't work for me either, and it still displays only those groups
as before, and they still have gidnumber from AD, not the computed one
from RID.

It seems I'm missing something.

Dňa 24.08.2017 o 14:48 Rowland Penny via samba napísal(a):
> On Thu, 24 Aug 2017 12:26:11 +0000
> "A. James Lewis" <james at fsck.co.uk> wrote:
>> Well, network connectivity to the other DC would probably also be
>> required... and I don't have that currently... so there's the first
>> hurdle... but thanks for confirming that there's no other
>> configuration required.
>> I'm slightly surprised that the smb.conf does not require the full
>> realm name like "DOMAIN2.LOCAL" somewhere in there.
> No you only need it for the realm the Unix domain member is joined to.
> Rowland

More information about the samba mailing list