[Samba] setting up a new ADS infrastructure

Rowland penny rpenny at samba.org
Thu Jun 13 18:02:27 UTC 2019 

On 13/06/2019 18:21, Stefan Froehlich via samba wrote:
> I try to set up a small ADS infrastructure: 1 samba ADS-controller,
> 1 samba file server, 2 Linux and 6 Windows clients. Starting with
> controller and file server, quite a lot of things work, but not
> everything. Here it starts getting complicate: looking for manuals,
> googling for error messages leads to lots of different advices for
> different versions... not easy. There are open questions, but I am
> not sure where is the best point to start - I'll give it a try:
>
> File server and Linux clients shall use the AD-backend, so I read
> and followed <https://wiki.samba.org/index.php/Idmap_config_ad>.
> There it says:
>
> "Whichever setting you use, the group (or groups) set as the users
> primary group must have the gidNumber attribute set"

I thought that was plain enough, but obviously not ;-)

All domain users are members of the 'Domain Users' group as their 
primary group and to make the group known to the Unix OS it must have a 
gidNumber attribute. Also winbind relies on the group being known to the 
Unix OS, if it isn't, then (whatever you do), no users will be known to 
the Unix OS. There are very few domain users and groups that need to be 
known to Unix.

>
> If I look at the group "domain users" the gidNumber attribute is not
> set at all.  The group is created automatically while provisioning
> the server, and I can neither find an option to set the gid, nor a
> way to alter it later on. Can I?

By default, no rfc2307 attributes are added to AD, you have to do this 
manually. It used to be easy from Windows using the Unix Attributes tab 
in ADUC, but this has been removed from Windows 10.

The easiest way is to script around ldb-tools or ldap-utils.

>
>
>
>
> Just in case that the above text was the wrong question: The actual
> *practical* problem that hit me after installation is:
>
> | root at fileserver:~# net ads user -UAdministrator
> | Enter Administrator's password:
> | Guest
> | test
> | Administrator
> | krbtgt
> | root at fileserver:~# wbinfo -u
> | guest
> | test
> | administrator
> | krbtgt
> | root at fileserver:~# wbinfo -i test
> | failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> | Could not get info for user test
This should have worked.
> | root at fileserver:~# wbinfo -n test
> | S-1-5-21-734461581-300303633-3375534526-1120 SID_USER (1)
>
> I found the hint that I need resolving gidNumbers for accounts in
> order to work - and as this does not seem to be the case I try to
> resolve that first.
>
> (Of course, configuration or log files can be provided if helpful -
> there are just too many files on two machines, so I'd rather post
> what ever seems to be helpful. The only log message I consider
> relevant right now is in log.nmbd on the fileserver:
>
> | [2019/06/13 19:14:02.586604,  0]
> | ../source3/nmbd/nmbd_serverlistdb.c:340(write_browse_list)
> |   write_browse_list: Fatal error - cannot find my workgroup
> |   SAMDOM
>
> But again, googling this did not enlighten me, escpecially as:
>
> | root at herakles:~# net ads workgroup
> | Workgroup: SAMDOM
> | root at fileserver:~# net ads testjoin
> | Join is OK
>
> Any hints are welcome...
This is all very strange, lets start with the obvious, please post your 
smb.conf files and tell us what OS you are using.

Rowland

More information about the samba mailing list