[Samba] Client machine not fetching user accounts from AD domain

Z Z nirayah at gmail.com
Mon Dec 14 18:51:58 UTC 2020

I have Samba AD DC working OK with a little over 400 domain members.
However, there is one single Debian server that's giving me trouble when I
add him to the AD.

There is a local user 'peter' with uid 905. Also there is user 'peter' in
the AD domain with id 10300.

*id peter* (on the Debian) provides the following output:

uid=905(peter) gid=905(peter)

So basically, it's merging local user with the domain groups, instead of
pulling all the stuff from the AD domain. It's not respecting the
nsswitch.conf. Here it is:

passwd:       compat winbind
group:          compat winbind
shadow:        winbind files
gshadow:      winbind files

It gets even worse as I can only resolve users that have local profile.
Every other AD user isn't showing. If I try with another user, that *doesn't
have local profile:*
*id userfromad*
id: ‘userfromad ’: no such user

>From here I'm unable to use this user in this particular member:

*su userfromad*
No passwd entry for user 'userfromad '
(it's looking for local passwd entry, wtf)

Even though I can see and use this and every other other AD user from any
other of my 400 computers that are members of the AD DC this Debian machine
is refusing to work properly.


*wbinfo -u and wbinfo -g *provide all groups and users. So Winbind
obviously sees them as it should.

Here's my smb.conf as well


workgroup = DOM
realm = DOM.AIN
security = ADS

idmap config dom: unix_primary_group = yes
idmap config dom : unix_nss_info = no
idmap config dom : range = 1000-999999
idmap config dom : schema = rfc2307
idmap config dom : backend = ad

idmap config * : range = 300-999
idmap config * : backend = tdb

template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = True
winbind cache time = 5
winbind refresh tickets = Yes

winbind enum users = yes
winbind enum groups yes

Any suggestions will be appreciated.

More information about the samba mailing list