[Samba] Getent doesn't show AD users/groups

[Rowland penny]

On 15/12/2020 19:43, Alex Orlov via samba wrote:
>> In which case, it would seem you are testing Samba, so stop everything,
>> upgrade your distro to Debian 10 and then use Samba from Louis's repo;
>> http://apt.van-belle.nl/
>> This will get everything up to date, Samba 4.2.14 is just too old, the
>> latest version is 4.13.3 (released today)
>> Once you have done that, provision Samba again
>   
> That is absolutely impossible, because there are a lot of things running on this server
> and I don’t want to spend weeks trying to make them work in new distro. Look, here
> I have a problem with one program that none can solve and there I have dozens of
> programs.
>   
>   

No, you cannot make it work, I could probably make it work very quickly, 
but I am not there, so I can only make suggestions.

It doesn't help that you seem to keep changing the dns domain, so lets 
set this straight:

The computer that you want to use as a DC must have a dns domain name 
and this dns domain must be used for the AD dns domain and the kerberos 
realm is the dns domain name in uppercase.

BAD:

dns domain: example.com

AD dns domain: samdom.example.com

AD realm: SAMDOM.EXAMPLE.COM

GOOD:

dns domain: samdom.example.com

AD dns domain: samdom.example.com

AD realm: SAMDOM.EXAMPLE.COM

It is your choice to remain with Samba 4.2.14, it is however extremely 
EOL and insecure, I certainly would not use it in production. We also do 
not recommend using a Samba AD DC as a fileserver, you seem to have 
taken this to extremes. In your case, I would create a new DC, transfer 
all the FSMO roles to this and then turn your existing DC into a Unix 
domain member.

Rowland