[Samba] Issues post AD migration

Praveen Ghimire PGhimire at sundata.com.au
Fri Apr 13 09:56:34 UTC 2018

Hi Rowland,

The issue seems to be due to the groups who decided not to show up in AD. Strangely, even when we added the group with the same name in the AD, it didn't resolv the issue.  Even though smb.conf dictates that the user have to a member of a group with that name. Using getent group,  we can see the group.  Does Samba hold on to the SID of the group somehow?

Is there a way to get those lost groups in AD;)


Praveen Ghimire

-------- Original message --------
From: Rowland Penny via samba <samba at lists.samba.org>
Date: 12/04/2018 9:21 PM (GMT+10:00)
To: samba at lists.samba.org
Subject: Re: [Samba] Issues post AD migration

On Thu, 12 Apr 2018 10:48:04 +0000
Praveen Ghimire <PGhimire at sundata.com.au> wrote:

> Hi Rowland,
> I added the following,  reloaded the samba configs, joined the member
> server to the AD domain again
> [global]
>        netbios name = FS01
>        security = ADS
>        workgroup = TESTDOM
>        realm = TESTDOM.GROUP
>        idmap config * : backend = tdb
>        idmap config * : range = 3000-7999
>          winbind use default domain = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         idmap config TESTDOM:backend = ad
>         idmap config TESTDOM:schema_mode = rfc2307
>         idmap config TESTDOM:range = 10000-999999
> I get the following
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2018/04/12 20:20:34.389732,  0]
> passdb/lookup_sid.c:1684(get_primary_group_sid) Failed to find a Unix
> account for peteruser 'TESTDOM\pghimire' (from session setup) not
> permitted to access this share (data)
> Just to confirm getent is working
> getent group gives me all the groups in AD DC
> allowed rodc password replication group:x:3012:
> enterprise read-only domain controllers:x:3013:
> denied rodc password replication group:x:3008:krbtgt
> read-only domain controllers:x:3014:
> group policy creator owners:x:3007:administrator
> ras and ias servers:x:3015:
> domain controllers:x:3016:
> enterprise admins:x:3009:administrator

Hmm, where is 'Domain Users' and the groups are (rightly) being mapped
to the '*' domain.

Does 'Domain Users' have a 'gidNumber' attribute containing a number
inside the '10000-999999' range ?
Do your users have a 'uidNumber' attribute containing a unique number
inside the same range ?

What version of Samba are you using ?
If it is less than 4.6.0 then you also need this line:

winbind nss info = rfc2307

>From 4.6.0 it is replaced by:

idmap config TESTDOM : unix_nss_info


= yes

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com

More information about the samba mailing list