[Samba] ADS Domain Member - getent problem

Rowland Penny rpenny at samba.org
Wed Jan 10 18:31:34 UTC 2018 

On Wed, 10 Jan 2018 18:43:37 +0100
Franz Gansberger via samba <samba at lists.samba.org> wrote:

> Hello List,
> I'm running a Samba ADS on Debian 9, Samba version 4.5.12-Debian.
> Right now I'll try to add a Domain member - also running Samba
> version 4.5.12-Debian. Thanks to Loius and Rowland, this howto guided
> me a lot in the right direction:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> But right now I'll get stuck. It seems that the configuration is ok -
> AD-members are successfully joined, I can ping via "wbinfo
> --ping-dc", all the tests regarding name resolution are working, and
> of course I'll get the complete list of users and groups via wbinfo
> -u or wbinfo -g on the member servers.  :-) 
> 
> The users are maintained via ADUC on the DC, and every user and group
> has its UID assignd.
> 
> Surprisingly only "getent group" generates the list of groups with
> the correct ID's on the domain members. I tried this at two different
> members. "getent passwd demo1" (or "getent passwd "H950\demo1"")
> generates nothing.

From your smb.conf below, 'getent passwd demo1' should work.

> 
> 
> This is the config file from the domain member - smb.conf
> 
> [global]
> 	   security = ADS
> 	   workgroup = H950
> 	   realm = H950.SOME.DOMAIN
> 	   log file = /var/log/samba/%m.log
> 	   log level = 5
> 
> #map untrusted to domain = Yes
> 
> 	  # Default idmap config for local BUILTIN accounts and groups
> 	 idmap config * : backend = tdb
> 	  idmap config * : range = 20000-20999
> 
> 	   idmap config H950:default = true
> 	   idmap config H950:schema mode = rfc2307
> 	   idmap config H950:backend = ad
> 	   idmap config H950:range = 500-9999
> 	   idmap config H950:unix_nss_info = yes
> 	   idmap config H950:unix_primary_group = yes
> 	   winbind nss info = rfc2307

You are using Samba 4.5.12, the above setup is for 4.6.x

Change the 'idmap config H950' block to this:

	   idmap config H950:backend = ad
	   idmap config H950:schema mode = rfc2307
	   idmap config H950:range = 500-9999
	   winbind nss info = rfc2307

Ensure that Domain Users has a gidNumber attribute contain a number
inside the '500-9999' range (I may have already said this, but
'500-9999' isn't a good range to use)

> 
> 	   username map = /etc/samba/user.map
> 	   acl allow execute always = True
> 	   unix charset = UTF8
> 
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes

You do not need the 'winbind enum' lines, the only thing they really do
is slow Samba down.

> winbind refresh tickets = yes

You should also add:

    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

Rowland

More information about the samba mailing list