[Samba] chown and AD users

Rowland penny rpenny at samba.org
Mon Jun 3 14:58:23 UTC 2019 

On 03/06/2019 15:17, Nico wrote:
> Sorry, I forgot to precise : It's on a Samba AD DC (v4.10.3 and CentOS 
> 7).
>
> My smb.conf :
>
> [global]
>     server role = active directory domain controller
>     netbios name = server_name
>     realm = DOMAIN.LAN
>     workgroup = DOMAIN
>
>     server services = -dns
>
>     idmap_ldb:use rfc2307 = yes
>
>     bind interfaces only = yes
>     interfaces = p3p1
>
Nothing wrong with the lines above
> idmap config DOMAIN:range = 600-4000000
>     idmap config DOMAIN:backend = tdb
>     idmap uid = 600-4000000
>     idmap gid = 600-4000000
>
>     winbind gid = 600-4000000
>     winbind uid = 600-4000000

Well, if you are going to get it wrong, you might as well get it 
absolutely totally wrong ;-)

To put it another way, remove the lines above, they have no place in a 
Samba AD DC smb.conf

> winbind enum groups = yes
>     winbind enum users = yes
Remove the lines above once you are sure everything is working correctly
> winbind use default domain = yes
The line above doesn't work on a DC
> winbind nested groups = yes
>     winbind refresh tickets = yes
>
>     vfs objects = acl_xattr
>     map acl inherit = yes
>     store dos attributes = yes
>
The three lines above definitely shouldn't be in a Samba DC smb.conf
> log level = 3
>     log file = /var/log/samba/samba_ad.log
>     max log size = 50
>
> [sysvol]
>     path = /usr/local/samba/var/locks/sysvol
>     read only = No
>
> [netlogon]
>     path = /usr/local/samba/var/locks/sysvol/ensim.univ-lemans.fr/scripts
>     read only = No
>
> My nsswitch.conf :
> Signature mail
> passwd:     compat winbind
> shadow:     compat winbind
> group:      compat winbind
Remove 'winbind' from the 'shadow' line, it can cause problems and 
doesn't actually do anything.
>
> hosts:      files dns wins
>
AD runs on DNS, it doesn't use wins.

Do the libnss_winbind links exist ?

does 'getent passwd username' produce output ?

Rowland

More information about the samba mailing list