[Samba] Client machine not fetching user accounts from AD domain
rpenny at samba.org
Mon Dec 14 19:20:58 UTC 2020
On 14/12/2020 18:51, Z Z via samba wrote:
> I have Samba AD DC working OK with a little over 400 domain members.
> However, there is one single Debian server that's giving me trouble when I
> add him to the AD.
> There is a local user 'peter' with uid 905. Also there is user 'peter' in
> the AD domain with id 10300.
Which one do you want keep ?
Decide which, then delete the other, you cannot have the same user in AD
and in /etc/passwd
> *id peter* (on the Debian) provides the following output:
> uid=905(peter) gid=905(peter)
Well it would, nsswitch checks /etc/passwd first
> So basically, it's merging local user with the domain groups, instead of
> pulling all the stuff from the AD domain.
Yes, anything that is in /etc/passwd or /etc/group (that is also in AD)
will be used before the AD data
> It's not respecting the
> nsswitch.conf. Here it is:
> passwd: compat winbind
> group: compat winbind
> shadow: winbind files
> gshadow: winbind files
The first two lines are correct, but you shouldn't have 'winbind' in the
other two lines.
> It gets even worse as I can only resolve users that have local profile.
I think by 'local profile' that you mean 'local Unix users' or users
that are in /etc/passwd.
> Every other AD user isn't showing. If I try with another user, that *doesn't
> have local profile:*
> *id userfromad*
> id: ‘userfromad ’: no such user
Your computer has no idea who 'userfromad' is
> From here I'm unable to use this user in this particular member:
> *su userfromad*
> No passwd entry for user 'userfromad '
> (it's looking for local passwd entry, wtf)
No, it is saying that nsswitch cannot find the user
> Even though I can see and use this and every other other AD user from any
> other of my 400 computers that are members of the AD DC this Debian machine
> is refusing to work properly.
Let me guess, the other computers are all Windows machines.
> *wbinfo -u and wbinfo -g *provide all groups and users. So Winbind
> obviously sees them as it should.
that is meaningless to Unix
> Here's my smb.conf as well
> workgroup = DOM
> realm = DOM.AIN
> security = ADS
> idmap config dom: unix_primary_group = yes
> idmap config dom : unix_nss_info = no
> idmap config dom : range = 1000-999999
> idmap config dom : schema = rfc2307
> idmap config dom : backend = ad
> idmap config * : range = 300-999
> idmap config * : backend = tdb
Why such low numbers for the ranges ?
The '*' domain is mainly for the Well Known SID's, so you can probably
get away with 300-999, but I wouldn't use it
Now we come to the big one, you are using the winbind 'ad' backend for
the 'DOM' domain, so have you given your users a uidNumber attribute
containing a unique number inside the 1000-999999 range ? and have you
given the 'Domain Users' group, a gidNumber attribute inside the same
range ? and as you have 'unix_primary_group = yes', have you given your
users a gidNumber attribute containing the Unix ID (gidNumber) of the
group that you want to use for each user ?
More information about the samba