[Samba] Winbind issues with AD member file server

Rowland penny rpenny at samba.org
Tue Jul 9 17:58:52 UTC 2019

On 09/07/2019 18:38, Eric Shell via samba wrote:
> I am setting up a CentOS 7 system as a file server within an AD domain,
> following the following Red Hat documentation:
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-file_and_print_servers
> Here is some information that likely complicates things:
> - we have a number of users and groups with sub-1000 uid or gid numbers
> which can't easily be addressed
> - the system is integrated into a OpenLDAP service but UNIX attributes are
> replicated to AD from OpenLDAP so uid and gid values match across all users
> and groups
> - the system's samba shares are themselves NFS-mounted from a ZFS file
> server
> --------------------------------------------------------------------------------
> Thus far I've done the following:
> 1. installed packages - realmd oddjob-mkhomedir oddjob
> samba-winbind-clients samba-winbind samba-common-tools samba
> samba-winbind-krb5-locator
> 2. joined the AD domain with "realm join" and the --automatic-id-mapping=no
> option, as we wish to use uidNumber and gidNumber attributes we've added to
> users and groups in AD
> 3. at this point I attempted to query AD records but couldn't, so I updated
> /etc/krb5.conf to set the default realm and to add the "dns_lookup_kdc =
> true" option, which allowed me to kinit successfully but still not see
> records
> 4. I added the following two idmap configuration options to
> /etc/samba/smb.conf and was then able to retrieve user and group records
> from AD, but the group members aren't included:
> idmap config BSOE : unix_nss_info = yes
> idmap config BSOE : unix_primary_group = yes
> # getent passwd BSOE\\eshell
> BSOE\eshell:*:3392:325::/soe/eshell:/bin/bash
> # getent group "BSOE\\staff-group"
> BSOE\staff-group:x:552:
> 5. I've found that querying some groups returns no information, perhaps
> because of low gidNumber values (BSOE\staff-group has gidNumber 552):
> # getent group "BSOE\\staff-group"
> #
> 6. I tried changing the idmap config range from 500-999999 to 100-999999
> but it doesn't seem to affect these queries.
> --------------------------------------------------------------------------------
> Some things appear to be working properly.  I can "su - BSOE\\eshell" and I
> am able to mount and access the NFS directories appropriately.  "id eshell"
> and "id BSOE\\eshell" return the same information.  I can also successfully
> authenticate to samba with my AD account, but then I am told that there are
> no available shares.  I'm guessing that this is related to the NSS group
> issues I'm having.
> Why can't I see the members of some groups?  How do I debug this behavior?
> Why isn't samba able to mount the NFS shares after a user has authenticated
> when I can do so in a shell by becoming that user on the samba host?
> Thanks in advance for any help you can provide.

Lets start with the easiest part, can you post your smb.conf


More information about the samba mailing list