[Samba] Unable to get primary group information when using AD authentication with samba-4.10.4

Rowland penny rpenny at samba.org
Thu Feb 20 10:06:30 UTC 2020

'wbinfo -a' is basically the same as logging in, but you should be able 
to get a users primary group without the user logging in, this will 
depend on what you mean by 'primary group'. On Windows, every users 
primary group is 'Domain Users' and when you make a Unix computer a 
domain member, Unix users get the same primary group by default. Before 
Samba 4.6.0 there was no way of changing this, but from 4.6.0, you can 
give your users a gidNumber attribute containing the ID number of a 
group (don't user the ID for Domain Users, there is no point), then, 
provided smb.conf is configured correctly, your users will get a 
different primary group.

Try this smb.conf:

     kerberos method = secrets and keytab
     realm = TESTDOM.LOCAL
     workgroup = TESTDOM
     security = ads
     winbind use default domain = true
     winbind expand groups = 2
     winbind refresh tickets = Yes

     idmap config * : backend = tdb
     idmap config * : range = 3000-7999
     idmap config TESTDOM : backend = ad
     idmap config TESTDOM : range = 16777216-33554431
     idmap config TESTDOM : schema_mode = rfc2307
     idmap config TESTDOM : unix_nss_info = yes
     idmap config TESTDOM : unix_primary_group = yes

     # If you do not have the relevant rfc2307 attributes in AD
     # uncomment the next two lines.
     #template homedir = /home/%g/%u
     #template shell = /bin/bash

     vfs objects = acl_xattr
     map acl inherit = Yes

     username map = /etc/samba/user.map

Run this in a terminal:

echo '!root = TESTDOM\Administrator' > /etc/samba/user.map

Restart Samba

The reason I mentioned sssd was this: idmap uid = 16777216-33554431

 From memory, that range is synonymous with sssd and will mean that your 
users & groups will need to have uidNumber & gidNumber attributes 
containing numbers inside that range.

If your users & groups do not have uidNumber & gidNumber attributes 
containing numbers inside that range, you must find your lowest & 
highest Unix IDs and base the range around those.

More information about the samba mailing list