[Samba] Client machine not fetching user accounts from AD domain

Rowland penny rpenny at samba.org
Mon Dec 14 19:20:58 UTC 2020

On 14/12/2020 18:51, Z Z via samba wrote:
> I have Samba AD DC working OK with a little over 400 domain members.
> However, there is one single Debian server that's giving me trouble when I
> add him to the AD.
> There is a local user 'peter' with uid 905. Also there is user 'peter' in
> the AD domain with id 10300.

Which one do you want keep ?

Decide which, then delete the other, you cannot have the same user in AD 
and in /etc/passwd

> *id peter* (on the Debian) provides the following output:
> uid=905(peter) gid=905(peter)
> groups=905(peter),27(sudo),1000(domaingroup),1001(domaingroup),10001(domaingroup),1035(domaingroup)
Well it would, nsswitch checks /etc/passwd first
> So basically, it's merging local user with the domain groups, instead of
> pulling all the stuff from the AD domain.
Yes, anything that is in /etc/passwd or /etc/group (that is also in AD) 
will be used before the AD data
>   It's not respecting the
> nsswitch.conf. Here it is:
> passwd:       compat winbind
> group:          compat winbind
> shadow:        winbind files
> gshadow:      winbind files
The first two lines are correct, but you shouldn't have 'winbind' in the 
other two lines.
> It gets even worse as I can only resolve users that have local profile.
I think by 'local profile' that you mean 'local Unix users' or users 
that are in /etc/passwd.
> Every other AD user isn't showing. If I try with another user, that *doesn't
> have local profile:*
> *id userfromad*
> id: ‘userfromad ’: no such user
Your computer has no idea who 'userfromad' is
>  From here I'm unable to use this user in this particular member:
> *su userfromad*
> No passwd entry for user 'userfromad '
> (it's looking for local passwd entry, wtf)
No, it is saying that nsswitch cannot find the user
> Even though I can see and use this and every other other AD user from any
> other of my 400 computers that are members of the AD DC this Debian machine
> is refusing to work properly.
Let me guess, the other computers are all Windows machines.
> Next,
> *wbinfo -u and wbinfo -g *provide all groups and users. So Winbind
> obviously sees them as it should.
that is meaningless to Unix
> Here's my smb.conf as well
> [global]
> workgroup = DOM
> realm = DOM.AIN
> security = ADS
> idmap config dom: unix_primary_group = yes
> idmap config dom : unix_nss_info = no
> idmap config dom : range = 1000-999999
> idmap config dom : schema = rfc2307
> idmap config dom : backend = ad
> idmap config * : range = 300-999
> idmap config * : backend = tdb

Why such low numbers for the ranges ?

The '*' domain is mainly for the Well Known SID's, so you can probably 
get away with 300-999, but I wouldn't use it

Now we come to the big one, you are using the winbind 'ad' backend for 
the 'DOM' domain, so have you given your users a uidNumber attribute 
containing a unique number inside the 1000-999999 range ? and have you 
given the 'Domain Users' group, a gidNumber attribute inside the same 
range ? and as you have 'unix_primary_group = yes', have you given your 
users a gidNumber attribute containing the Unix ID (gidNumber) of the 
group that you want to use for each user ?


More information about the samba mailing list