[Samba] Samba AD-DC idmap config
Rowland penny
rpenny at samba.org
Mon Oct 21 14:58:15 UTC 2019
On 21/10/2019 15:35, John Redmond wrote:
> No joy. Join successful, but no domain info with getent after
> flushing net cache. Perhaps there are still some traces of ADS in the
> [global] section of the smb.conf file that are breaking RID? For
> example:
> security = ADS
> winbind nss info = rfc2307
>
To join a Unix domain member to AD, you need 'security = ADS', but
'winbind nss info = rfc2307' is only required up to Samba 4.6.0 and then
only when using the 'ad' backend.
If you run 'wbinfo -u', this will show all users in AD, but this will
not guarantee they are Unix users
If you use the 'rid' backend AND 'winbind enum users = yes' & 'winbind
enum groups = yes' are set in smb.conf, then 'getent passwd' & 'getent
group' should return all domain users and groups, but only if the join
is correct.
Can you check a few things .
Does /etc/resolv.conf point to the AD DC as the first nameserver ?
Is a firewall running ?
is apparmor or selinux running ?
Do the 'passwd' & 'group' lines in /etc/nsswitch.conf have 'winbind' as
the second option ?
You may have already checked these, but please check again.
Please post your current smb.conf.
Rowland
More information about the samba
mailing list