[Samba] Samba domain users AWOL from Samba file server.

Rowland penny rpenny at samba.org
Tue Oct 22 18:11:31 UTC 2019 

On 22/10/2019 18:58, John Redmond wrote:
> Thanks, Rowland.  Here's the smb.conf file on the Unix domain member.  
> I know you are not a fan of winbind enum, but I add it to see if it 
> helped.

It isn't that I am not a fan of 'winbind enum', it is that it only does 
two things:

It enumerates users and groups (which isn't actually required)

It slows things down

I would only use the two lines for testing purposes, once you are sure 
everything is working, I would suggest you comment them out.

>
> #/etc/samba/smb.conf
> [global]
>
>    workgroup = SAMDOM
>    realm = SAMDOM.EXAMPLE.COM <http://SAMDOM.EXAMPLE.COM>
>    security = ADS
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    server string = Samba File Server %h (Ubuntu 18.04)
>
>    idmap config * : backend = tbd
>    idmap config * : range = 3000-7999
>    idmap config SAMDOM : backend = ad
> #   idmap config SAMDOM : backend = rid
>    idmap config SAMDOM : schema_mode = rfc2307
>    idmap config SAMDOM : range = 10000-99999
>
>    template homedir = /home/samdom/%U
>    template shell = /bin/bash
>
>    winbind use default domain = true
>    winbind expand groups = 2
>    winbind refresh tickets = yes
>    winbind normalize names = yes
> #   winbind offline logon = yes
>    winbind nss info = rfc2307
>    winbind enum users = yes
>    winbind enum groups = yes
>
>    domain master = no
>    local master = no
>    preferred master = no
> #   os level = 20
> #   map to guest = bad user
> #   host msdfs = no
>
>    vfs objects = acl_xattr
>    map acl inherit = yes
>    store dos attributes = yes
>
> #   dns proxy = no
>
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>
>    syslog = 0
>    log level = 1
> #auth:5 winbind:5
>
> #Disable printing completely
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
>
>
> [profiles]
>    comment = User and group files
>    path = /home/lan
>    guest ok = no
>    browseable = no
>    create mask = 0600
>    directory mask = 0700
>
> [allusers]
>    comment = Company-wide files
>    path = /home/lan/allusers
>    guest ok = no
>    browseable = yes
>    create mask = 0600
>    directory mask = 0700
>
> [accounting]
>    comment = Bookkeeping and accounting files
>    path = /home/lan/accounting
>    guest ok = no
>    browseable = no
>    create mask = 0600
>    directory mask = 0700

If you think that the missing users shouldn't be missing because they 
have the correct uidNumber attributes, then I suggest you check in AD, 
the easiest way would be to use samba-tool on the DC:

samba-tool user show <username>

Look for the uidNumber attribute

Rowland

More information about the samba mailing list