[Samba] Samba AD-DC idmap config

Rowland penny rpenny at samba.org
Mon Oct 21 14:58:15 UTC 2019

On 21/10/2019 15:35, John Redmond wrote:
> No joy.  Join successful, but no domain info with getent after 
> flushing net cache.  Perhaps there are still some traces of ADS in the 
> [global] section of the smb.conf file that are breaking RID?  For 
> example:
>    security = ADS
>    winbind nss info = rfc2307
To join a Unix domain member to AD, you need 'security = ADS', but 
'winbind nss info = rfc2307' is only required up to Samba 4.6.0 and then 
only when using the 'ad' backend.

If you run 'wbinfo -u', this will show all users in AD, but this will 
not guarantee they are Unix users

If you use the 'rid' backend AND 'winbind enum users = yes' & 'winbind 
enum groups = yes' are set in smb.conf, then 'getent passwd' & 'getent 
group' should return all domain users and groups, but only if the join 
is correct.

Can you check a few things .

Does /etc/resolv.conf point to the AD DC as the first nameserver ?

Is a firewall running ?

is apparmor or selinux running ?

Do the 'passwd' & 'group' lines in /etc/nsswitch.conf have 'winbind' as 
the second option ?

You may have already checked these, but please check again.

Please post your current smb.conf.


More information about the samba mailing list