[Samba] Unable to get primary group information when using AD authentication with samba-4.10.4
Rowland penny
rpenny at samba.org
Thu Feb 20 10:06:30 UTC 2020
'wbinfo -a' is basically the same as logging in, but you should be able
to get a users primary group without the user logging in, this will
depend on what you mean by 'primary group'. On Windows, every users
primary group is 'Domain Users' and when you make a Unix computer a
domain member, Unix users get the same primary group by default. Before
Samba 4.6.0 there was no way of changing this, but from 4.6.0, you can
give your users a gidNumber attribute containing the ID number of a
group (don't user the ID for Domain Users, there is no point), then,
provided smb.conf is configured correctly, your users will get a
different primary group.
Try this smb.conf:
[global]
kerberos method = secrets and keytab
realm = TESTDOM.LOCAL
workgroup = TESTDOM
security = ads
winbind use default domain = true
winbind expand groups = 2
winbind refresh tickets = Yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config TESTDOM : backend = ad
idmap config TESTDOM : range = 16777216-33554431
idmap config TESTDOM : schema_mode = rfc2307
idmap config TESTDOM : unix_nss_info = yes
idmap config TESTDOM : unix_primary_group = yes
# If you do not have the relevant rfc2307 attributes in AD
# uncomment the next two lines.
#template homedir = /home/%g/%u
#template shell = /bin/bash
vfs objects = acl_xattr
map acl inherit = Yes
username map = /etc/samba/user.map
Run this in a terminal:
echo '!root = TESTDOM\Administrator' > /etc/samba/user.map
Restart Samba
The reason I mentioned sssd was this: idmap uid = 16777216-33554431
From memory, that range is synonymous with sssd and will mean that your
users & groups will need to have uidNumber & gidNumber attributes
containing numbers inside that range.
If your users & groups do not have uidNumber & gidNumber attributes
containing numbers inside that range, you must find your lowest &
highest Unix IDs and base the range around those.
More information about the samba
mailing list