[Samba] Samba 4.4.8 AD member ads / nss fails to find group id

[Rowland Penny]

On Fri, 29 Mar 2019 12:19:27 -0400
"Thomas, David via samba" <samba at lists.samba.org> wrote:

> Rowland,
> 
> On 3/29/2019 9:59 AM, Rowland Penny via samba wrote:
> > Why are you using a winbind backend that maps Unix users to domain
> > users in an AD domain, when you should be making your AD users into
> > Unix users with a backend like the 'rid' or 'ad' ones.
> >
> > As for your problem, is winbind running ?  
> 
> Yes, winbind is running.
> 
> Thanks for getting me to reconsider that 'rid' or 'ad' backends, but
> I don't think they work in my situation
> 
> I have been using the nss backend because:
> 
> - On the server that I am setting up Samba, I have existing Unix
> users with existing uids and associated data on the file server
> - There is no usable uid information on the AD.
> - I have no permissions to modify the AD to set up user information.
> 
> I understood that the nss backend was intended for this situation.
> 
> It worked on another server set up the same way but running Samba
> 4.4.4.
> 
> 
> Thanks,
> David.

You are trying to do your user mapping in the wrong direction.

The nss backend was meant for the old way of doing things, when you
could have users in /etc/passwd and Samba. Nowadays you have all your
users in AD and make these into Unix users. The easiest way is to use
the 'rid' backend, but this will undoubtedly mean your Unix ID's will
change.
If you read 'man idmap_nss', you will find this line:

The idmap_nss plugin provides a means to map Unix users and groups to
Windows accounts.

This means that Unix users in /etc/passwd are mapped to the same
username in AD, the only problem with this is, you should not have
users in /etc/passwd and AD, the users in /etc/passwd will be used
first.

If, as is very likely, you have users in /etc/passwd and AD, I would
strongly urge you to delete the users in /etc/passwd and use the 'rid'
backend instead.

Rowland