[Samba] Winbind issues with AD member file server

Christian Naumer cn at brain-biotech.de
Tue Jul 9 19:21:02 UTC 2019

In centos there is also /etc/pam.d/system-auth (and another file I cant remember) there is a restriction to only allow uids>1000 maybe this is part of your problem?


Am 9. Juli 2019 19:38:22 MESZ schrieb Eric Shell via samba <samba at lists.samba.org>:
>I am setting up a CentOS 7 system as a file server within an AD domain,
>following the following Red Hat documentation:
>Here is some information that likely complicates things:
>- we have a number of users and groups with sub-1000 uid or gid numbers
>which can't easily be addressed
>- the system is integrated into a OpenLDAP service but UNIX attributes
>replicated to AD from OpenLDAP so uid and gid values match across all
>and groups
>- the system's samba shares are themselves NFS-mounted from a ZFS file
>Thus far I've done the following:
>1. installed packages - realmd oddjob-mkhomedir oddjob
>samba-winbind-clients samba-winbind samba-common-tools samba
>2. joined the AD domain with "realm join" and the
>option, as we wish to use uidNumber and gidNumber attributes we've
>added to
>users and groups in AD
>3. at this point I attempted to query AD records but couldn't, so I
>/etc/krb5.conf to set the default realm and to add the "dns_lookup_kdc
>true" option, which allowed me to kinit successfully but still not see
>4. I added the following two idmap configuration options to
>/etc/samba/smb.conf and was then able to retrieve user and group
>from AD, but the group members aren't included:
>idmap config BSOE : unix_nss_info = yes
>idmap config BSOE : unix_primary_group = yes
># getent passwd BSOE\\eshell
># getent group "BSOE\\staff-group"
>5. I've found that querying some groups returns no information, perhaps
>because of low gidNumber values (BSOE\staff-group has gidNumber 552):
># getent group "BSOE\\staff-group"
>6. I tried changing the idmap config range from 500-999999 to
>but it doesn't seem to affect these queries.
>Some things appear to be working properly.  I can "su - BSOE\\eshell"
>and I
>am able to mount and access the NFS directories appropriately.  "id
>and "id BSOE\\eshell" return the same information.  I can also
>authenticate to samba with my AD account, but then I am told that there
>no available shares.  I'm guessing that this is related to the NSS
>issues I'm having.
>Why can't I see the members of some groups?  How do I debug this
>Why isn't samba able to mount the NFS shares after a user has
>when I can do so in a shell by becoming that user on the samba host?
>Thanks in advance for any help you can provide.

Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list