[Samba] Unable to get primary group information when using AD authentication with samba-4.10.4

Rowland penny rpenny at samba.org
Fri Feb 21 09:09:53 UTC 2020

On 21/02/2020 04:54, Goto, Ryoichi wrote:
> Thank you for very easy-to-understand and courteous advice.

I reread your initial post and noticed something that I missed earlier, 
you had in smb.conf:

         idmap uid = 16777216-33554431
         idmap gid = 16777216-33554431

Yet, you were getting results like this:

id user01
uid=2001107(user01) gid=2000513(domain users) groups=2000513(domain 

'2000513' is less than '16777216'

Are you sure that you do not have sssd installed ?

On top of the Samba packages you have installed, I would also expect:


/etc/krb5 should just be this:

          default_realm = TESTDOM.LOCAL
          dns_lookup_realm = false
          dns_lookup_kdc = true

Also, remove the link:

rm -rf /etc/krb5.conf.d/crypto-policies

On a Centos 8 Unix domain member using the winbind 'rid' backend:

getent passwd rowland

Change to using the 'ad' backend, restart Samba and run 'net cache flush' :

getent passwd rowland
rowland:*:10000:10010:Rowland Penny:/home/rowland:/bin/bash

id rowland
uid=10000(rowland) gid=10010(group12) groups=10010(group12),10000(domain 

I hope you can see that before the change 'rowland' had 'Domain Admins' 
as the primary group, but now has 'group12'


More information about the samba mailing list