[Samba] ADS Domain Member - getent problem

Rowland Penny rpenny at samba.org
Wed Jan 10 20:08:31 UTC 2018 

On Wed, 10 Jan 2018 20:58:25 +0100
Franz Gansberger via samba <samba at lists.samba.org> wrote:

> Hi,
> after addidional tests, and following another (earier) hint from
> Louis regarding his repository I did a quick update (over the old
> version, quick and dirty) to Samba version 4.6.7-Debian - an voila:
> After rejoining this new member server to the domain H950 (it was a
> clone from the original one) this funny peace of software is showing
> all the users from the DC! :-)
> 
> Thank you Louis!
> Franz
> 
> >>> Franz Gansberger 10.01.2018 18:43 >>>
> Hello List,
> I'm running a Samba ADS on Debian 9, Samba version 4.5.12-Debian.
> Right now I'll try to add a Domain member - also running Samba
> version 4.5.12-Debian. Thanks to Loius and Rowland, this howto guided
> me a lot in the right direction:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> But right now I'll get stuck. It seems that the configuration is ok -
> AD-members are successfully joined, I can ping via "wbinfo
> --ping-dc", all the tests regarding name resolution are working, and
> of course I'll get the complete list of users and groups via wbinfo
> -u or wbinfo -g on the member servers.  :-) 
> 
> The users are maintained via ADUC on the DC, and every user and group
> has its UID assignd.
> 
> Surprisingly only "getent group" generates the list of groups with
> the correct ID's on the domain members. I tried this at two different
> members. "getent passwd demo1" (or "getent passwd "H950\demo1"")
> generates nothing.
> 
> 
> This is the config file from the domain member - smb.conf
> 
> [global]
> 	   security = ADS
> 	   workgroup = H950
> 	   realm = H950.SOME.DOMAIN
> 	   log file = /var/log/samba/%m.log
> 	   log level = 5
> 
> #map untrusted to domain = Yes
> 
> 	  # Default idmap config for local BUILTIN accounts and groups
> 	 idmap config * : backend = tdb
> 	  idmap config * : range = 20000-20999
> 
> 	   idmap config H950:default = true
> 	   idmap config H950:schema mode = rfc2307
> 	   idmap config H950:backend = ad
> 	   idmap config H950:range = 500-9999
> 	   idmap config H950:unix_nss_info = yes
> 	   idmap config H950:unix_primary_group = yes
> 	   winbind nss info = rfc2307
> 
> 	   username map = /etc/samba/user.map
> 	   acl allow execute always = True
> 	   unix charset = UTF8
> 
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> 
> 
> 
> Is there anything I'm missing? Or mixing up? I'm sure ... ;-)
> 
> Thank you guys for your work!
> Kind regards
> Franz
> 
> 
> 

Well, yes that is the other way of doing things, make the software
version match the smb.conf ;-)

You still need these lines:

     vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

Rowland

More information about the samba mailing list