[Samba] Issue when adding an user to group

Rowland Penny rpenny at samba.org
Tue Mar 20 10:37:19 UTC 2018

On Tue, 20 Mar 2018 11:02:46 +0100
Oliver Werner via samba <samba at lists.samba.org> wrote:

> Hello everybody,
> we have an issue with our samba instance of ad member  as fileserver
> when i add an user to a group it will adding the user without
> problems.
> i can verify on our two domain controller that the user is in the
> group with wbinfo -r <user>
> Now when i will check it on the member (fileserver) the user will not
> in the group.
> Anyone has an idea what we’ve misconfigured?
> Our DCs and Member running on Samba 4.7.6
> Here is the configuration of our fileserver
>        winbind trusted domains only = no

You don't need the above, it is the default

>        winbind enum users  = yes
>        winbind enum groups = yes

You do not need the above two lines, they only do two things:
One: make 'getent passwd' & 'getent group' show lists of Domain users &
Two: Slow things down if you have a lot of users & groups.
'getent' will work without them.

>        winbind cache time = 300

You don't really need the above, it is the default

>        # idmap config for domain HQ
>        idmap config HQ:backend = ad
>        idmap config HQ:schema_mode = rfc2307
>        idmap config HQ:range = 1024-99999
>        # Use settings from AD for login shell and home directory
>        winbind nss info = rfc2307

Things changed with the release of 4.6.0, you should replace 'winbind
nss info = rfc2307' with:

idmap config HQ:unix_nss_info = yes

See here for more info:


You might want to also read the paragraph above it:


It explains the reason for your problem.


More information about the samba mailing list