[Samba] Samba AD-DC idmap config

Rowland penny rpenny at samba.org
Sat Oct 19 07:59:06 UTC 2019

On 18/10/2019 22:54, John Redmond wrote:
> One step forward with respect to the fileserver configs.  Good news 
> first...
>   * Netplan:  The symlink  /etc/resolv.conf to
>     /run/systemd/resolve/stub-resolv.conf was wrong.  It now goes to
>     /run/systemd/resolve/resolv.conf.  And
>     _admin at fsvr0:/etc$ nslookup dc0.lan.lenkin.com
>     <http://dc0.lan.lenkin.com>_
>         Server:
>         Address:
>         Name: dc0.lan.lenkin.com <http://dc0.lan.lenkin.com>
>         Address:
>     So the command result shows the nameserver is now the DC, instead
>     of
>   * I changed the fileserver smb.conf and nsswitch.conf files as per
>     your suggestions.  No difference with respect to results of
>     commands "sudo net ads join -U administrator" (join successful,
>     error DNS update failed: NT_STATUS_INVALID_PARAMETER), "getent
>     passwd" and "getent groups" (no domain users or groups listed).
OK, lets test the join, run (as root) in a terminal:

net ads join

It should return:

Join is OK

If that passes, change these lines in smb.conf:

    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : schema_mode = rfc2307


    idmap config SAMDOM : backend = rid
    #idmap config SAMDOM : schema_mode = rfc2307

Run: net cache flush and restart winbind

Do you now get a users info with 'getent passwd username' and a groups 
info with 'getent group groupname' ?

If so, repeat the procedure, but put the original lines back, you should 
get output from the two commands again, but with different IDs. If you 
do not get any output, you need to check the uidNumber & gidNumber 
attributes in AD.

Whilst typing this, I began to think 'is he just typing getent passwd', 
if so, this will not work without the 'winbind enum' lines in smb.conf, 
that is all they do (apart from slowing things down).


More information about the samba mailing list