[Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?

Rowland Penny rpenny at samba.org
Sun Nov 18 09:48:14 UTC 2018

On Sat, 17 Nov 2018 22:54:43 +0000
"Barry D. Adkins" <Barry at daram.com> wrote:

> > The problem is that getenv does not return any AD domain users or
> > groups. From much research this seems to be because nsswitch is not
> > setup for Samba.
> >>I take it you mean 'getent'
> > The Libnss winbind Links Wiki says to do this:
> >
> > # smbd -b | grep LIBDIR  >>> smdb... doesn't work
> >>On Ubuntu it wouldn't, but this should:
> >>sudo smbd -b | grep LIBDIR
> >>   LIBDIR: /usr/lib/x86_64-linux-gnu

> Glad I'm not a betting man, because I thought I did that and it
> didn't work. Anyway it does now, probably me, working through all the
> setup, things don't go exactly like the wiki's and other internet
> helpful articles.

What is wrong with the Samba wiki, what didn't go exactly like the
wiki ?

> This is what reports LIBDIR: /usr/lib/x86_64-linux-gnu
> > # ln
> > -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/ #
> > ln
> > -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
> > # ldconfig
> IS /usr/lib/x86_64linux-gnu   ???

Yes, you only need to carry out those commands if you compile Samba
yourself, there are usually distro packages to do it for you.

> > Samba config:
> >
> > [global]
> > dns forwarder = my.DNS.ip.address
> >>Why have you got a line that should only be in a DC smb.conf ?
> I was following instructions from some web article.  I removed it
> based on your comment.

I can only recommend following the Samba wiki, there are usually errors
on most web articles.

> > winbind use default domain = Yes
> > workgroup = DOMAIN
> > idmap config DOMAIN : range = 50000-1000000
> >>Does the 'Domain Users' group have a gidNumber attribute containing
> >>a number inside the range above ?
> >>Do your users have a uidNumber attribute containing a unique number
> >>inside the same range ?
> Well, I'm not certain.  I used Windows System tools to examine SIDs
> on the Domain Controller, but I have not found how or for sure if a
> SID can be converted to a UID. To be clear, getent passwd reports
> many entries, but NONE from Active Directory, same for groups.

If you are not certain if you have uidNumber & gidNumber attributes, I
am fairly sure you haven't, YOU have to add them.

> This whole "exercise" was begun because of the failure of this
> command: chown root:"Domain Admins" /srv/samba/filestore/
> chown: invalid group: 'root:Domain Admins'
> I created /srv/samba/filestore/ to share, and in fact it is shared,
> but I have not been able to set permissions per this WIKI:
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> It's still not working, but I will continue to research the
> SID/UID/GID world.

Two different worlds, well sort of, the SID defines the Domain, but at
the end of the SID is the RID, this is a unique number that identifies
the AD object, it is meaningless to a Unix domain member.

To get a Unix UID or GID, there are two main methods, using the 'ad' or
'rid' winbind backends. The 'ad' backend relies on you adding
'uidNumber & gidNumber attributes to user & group objects in AD.
The 'rid' backend calculates the ID's from the 'RID', this way you do
not need to add anything to AD, but note this will not work on a Samba
AD DC, it only works on Unix domain members.


More information about the samba mailing list