[Samba] Unable to get primary group information when using AD authentication with samba-4.10.4

Rowland penny rpenny at samba.org
Fri Feb 21 09:09:53 UTC 2020


On 21/02/2020 04:54, Goto, Ryoichi wrote:
> Thank you for very easy-to-understand and courteous advice.

I reread your initial post and noticed something that I missed earlier, 
you had in smb.conf:

         idmap uid = 16777216-33554431
         idmap gid = 16777216-33554431

Yet, you were getting results like this:

id user01
uid=2001107(user01) gid=2000513(domain users) groups=2000513(domain 
users),2001107(oec0814e),2001103(group01)

'2000513' is less than '16777216'

Are you sure that you do not have sssd installed ?

On top of the Samba packages you have installed, I would also expect:

samba.x86_64
samba-client-libs
samba-common
samba-common-tools
samba-winbind-clients

/etc/krb5 should just be this:

[libdefaults]
          default_realm = TESTDOM.LOCAL
          dns_lookup_realm = false
          dns_lookup_kdc = true

Also, remove the link:

rm -rf /etc/krb5.conf.d/crypto-policies

On a Centos 8 Unix domain member using the winbind 'rid' backend:

getent passwd rowland
rowland:*:11107:10513::/home/rowland:/bin/bash

Change to using the 'ad' backend, restart Samba and run 'net cache flush' :

getent passwd rowland
rowland:*:10000:10010:Rowland Penny:/home/rowland:/bin/bash

id rowland
uid=10000(rowland) gid=10010(group12) groups=10010(group12),10000(domain 
users),

I hope you can see that before the change 'rowland' had 'Domain Admins' 
as the primary group, but now has 'group12'

Rowland





More information about the samba mailing list