[Samba] Unable to get primary group information when using AD authentication with samba-4.10.4

Rowland penny rpenny at samba.org
Fri Feb 28 08:47:15 UTC 2020

On 28/02/2020 06:51, Goto, Ryoichi wrote:
> Mr. Roland,
> I missed the instruction email from you. sorry.
OK, I just installed:

samba samba-winbind samba-winbind-clients krb5-workstation

I removed these:

sssd sssd* realmd

Now for your files:

Your /etc/hostname is wrong, it should contain only your computers short 
hostname: ms2

/etc/hosts should look like this (if using dhcp):   localhost
::1         localhost

However, if the computer has a fixed IP, then you also need a line like 

ComputerIP ms2.tesstdom.local ms2

Run this: rm -f /etc/krb5.conf.d/crypto-policies

Then make /etc/krb5.conf look like this:

     default_realm = TESTDOM.LOCAL
     dns_lookup_realm = false
     dns_lookup_kdc = true

Change /etc/nsswitch.conf to this:

# /etc/nsswitch.conf
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
# Valid entries include:
#    nisplus            Use NIS+ (NIS version 3)
#    nis            Use NIS (NIS version 2), also called YP
#    dns            Use DNS (Domain Name Service)
#    files            Use the local files in /etc
#    db            Use the pre-processed /var/db files
#    compat            Use /etc files plus *_compat pseudo-databases
#    hesiod            Use Hesiod (DNS) for user lookups
#    [NOTFOUND=return]    Stop searching if not found so far

passwd:      files winbind systemd
shadow:      files systemd
group:       files winbind systemd

hosts:      files dns myhostname

bootparams: files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nis

publickey:  files

automount:  files
aliases:    files

/etc/resolv.conf looks okay, provided that is the IP of a DC.

Try this /etc/samba/smb.conf

         workgroup = TESTDOM
         security = ADS
         realm = TESTDOM.LOCAL

         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab

         winbind use default domain = yes
         winbind expand groups = 2
         winbind refresh tickets = Yes

         log file = /var/log/samba/%m.log
         log level = 3

         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
         idmap config TESTDOM : backend = ad
         idmap config TESTDOM : range = 10000-999999
         idmap config TESTDOM : schema_mode = rfc2307
         idmap config TESTDOM : unix_nss_info = yes
         template shell = /bin/bash
         template homedir = /home/%U

         domain master = no
         local master = no
         preferred master = no

         # user Administrator workaround, without it you are unable to 
set privileges
         username map = /etc/samba/user.map

         # For ACL support on domain member
         vfs objects = acl_xattr
         map acl inherit = Yes

         log file = /var/log/samba/log.%m
         max log size = 50
         log level = 4

The only other thing I would comment on is, you shouldn't use '.local' 
as your TLD, it is reserved for Bonjour and Avahi.


More information about the samba mailing list