[Samba] Users can't mount shares on a domain member file server

MAS Jean-Louis jean-louis.mas at imag.fr
Wed Dec 16 15:58:33 UTC 2020

Le 15/12/2020 à 18:29, Rowland penny via samba a écrit :

Thanks a lot for your advices

We changed our conf files /etc/nsswitch.conf and smb.conf (see below)

Now our Linux users can't connect as their gid and $HOME are totally 
wrong, they seems to be generated by winbind in the 400000 range.

What we've got using windbind, with my account for example:

$ id jlmas
uid=20025(jlmas) gid=400005(misi) 

$ getent passwd jlmas
jlmas:*:20025:400005:MAS Jean-Louis:/home/LIGLAB/jlmas:/bin/false

What it should be

$ id jlmas
uid=20025(jlmas) gid=20000(misi)
groupes=20000(misi),20001(wikimisi),513(Domain Users),29000(labolig)

$ getent passwd jlmas
jlmas:*:20025:20000:MAS Jean-Louis:/home/misi/jlmas/:/bin/bash

>> smbd:backgroundqueue = no

> Where did you get the line above from ?

It came from our old Centos 6 conf, back from 2013. I delete it in our
new smb.conf

>> idmap config example : schema_mode = rfc2307 idmap config example
>> : range = 500-400000

> Why start at 500 ? do you have normal users & groups in AD with 
> uidNumbers & gidNumbers that start so low ? Not counting the ones 
> that ones that start with 'Domain' e.g. 'Domain Users'

Unfortunately, we have some very very old users accounts id, lowest as 
115 (but not used anymore), but some above 500 are still in use today on 
a broad number of servers. That's why we can't use the recommanded 
'3000-7999' range for the '*' domain.

Our new files

# /etc/nsswitch.conf

passwd:     files winbind
shadow:     files
group:      files winbind
hosts:      files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus

# /etc/smb/smb.conf

# Global parameters
         allow trusted domains = No
         disable spoolss = Yes
         domain master = No
         kerberos method = system keytab
         load printers = No
         local master = No
         log file = /var/log/samba/samba.log
         ntlm auth = ntlmv1-permitted
         preferred master = No
         printcap cache time = 0
         printcap name = /dev/null
         realm = EXAMPLE.COM
         restrict anonymous = 2
         security = ADS
         server role = member server
         server string = Samba Server Version %v
         winbind use default domain = Yes
         workgroup = EXAMPLE
         idmap config * : range = 400001-410000
	idmap config * : backend = tdb
         idmap config example : range = 500-400000
         idmap config example : schema_mode = rfc2307
         idmap config example : backend = ad
         rpc_daemon:spoolssd = off
         printing = bsd
         use sendfile = Yes

         browseable = No
         path = /var/lib/samba/profiles
         read only = No

         browseable = No
         comment = Home Directory
         read only = No

	comment = Equipe TEAM1
	force group = +team1
	path = /home/team1
	read only = No
	valid users = +team1

Any clues on the id numbers and home given by winbind ?


Jean Louis Mas

More information about the samba mailing list