[Samba] net ads status stripped output
Markus Lindberg
Markus.Lindberg at axis.com
Wed Jun 3 09:39:29 UTC 2020
Hi all,
I have successfully joined a Ubuntu 20.04 (focal) machine to a
Active Directory domain using ADS. Running the `net ads status` command
does not output the information that I expect.
This is an example of running `net ads status` on a Ubuntu 20.04
(focal) machine running Samba version 4.11.6-Ubuntu.
# net ads status
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
userAccountControl: 4096
sAMAccountName: VB-LNXMARKLIND1$
dNSHostName: vb-lnxmarklind1.example.com
servicePrincipalName: RestrictedKrbHost/VB-LNXMARKLIND1
servicePrincipalName: HOST/VB-LNXMARKLIND1
servicePrincipalName: RestrictedKrbHost/VB-LNXMARKLIND1.example.com
servicePrincipalName: HOST/VB-LNXMARKLIND1.example.com
msDS-SupportedEncryptionTypes: 31
This is an example of running `net ads status` on a Ubuntu 18.04
(bionic) machine running Samba version 4.7.6-Ubuntu.
# net ads status
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: PC35864-1931
description: SE
distinguishedName: CN=PC35864-1931,OU=Clients,OU=SE,OU=Example,DC=example,DC=com
instanceType: 4
whenCreated: 20190801125845.0Z
whenChanged: 20200513124018.0Z
uSNCreated: 395716025
memberOf: CN=radgroup,OU=Groups,OU=SE,OU=Example,DC=example,DC=com
uSNChanged: 424497188
name: PC35864-1931
objectGUID: 06df8355-2b1f-417b-acaa-9a25b51df1fc
userAccountControl: 69632
codePage: 0
countryCode: 0
lastLogon: 132344471312139041
localPolicyFlags: 0
pwdLastSet: 132091379258085988
primaryGroupID: 515
objectSid: S-1-5-21-1801674531-113007714-682003330-67625
accountExpires: 9223372036854775807
logonCount: 13
sAMAccountName: PC35864-1931$
sAMAccountType: 805306369
operatingSystem: Linux Client
operatingSystemVersion: Ubuntu bionic
operatingSystemServicePack: Samba 4.7.6-Ubuntu
dNSHostName: pc35864-1931.se.example.com
managedBy: CN=John Doe,OU=Users,OU=SE,OU=Example,DC=example,DC=com
userPrincipalName: host/pc35864-1931.se.example.com at EXAMPLE.COM
servicePrincipalName: HOST/pc35864-1931.se.example.com
servicePrincipalName: HOST/PC35864-1931
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=com
isCriticalSystemObject: FALSE
dSCorePropagationData: 20190801130024.0Z
dSCorePropagationData: 20190801130024.0Z
dSCorePropagationData: 20190801130024.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132338463131471292
msDS-SupportedEncryptionTypes: 31
If we compare these two commands there are a lot of missing LDAP
attributes for the first command run on Ubuntu 20.04 running Samba
version 4.11.6-Ubuntu.
Both machines were joined to the same Active Directory domain using the
following command.
command
This is Samba config being used (displayed using testparm command).
# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Can't find include file /etc/samba/local_shares.conf
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
client ldap sasl wrapping = seal
disable netbios = Yes
kerberos method = secrets and keytab
lm announce = No
logging = syslog at 1 file
realm = EXAMPLE.COM
restrict anonymous = 2
security = ADS
server min protocol = NT1
template shell = /bin/bash
winbind expand groups = 2
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind separator = +
winbind use default domain = Yes
workgroup = EXAMPLENET
idmap config * : range = 300000-400000
idmap config examplenet:unix_nss_info = yes
idmap config examplenet:gid = 120-65535
idmap config examplenet:uid = 120-65535
idmap config examplenet:default = yes
idmap config examplenet:range = 200-30000
idmap config examplenet:backend = ad
idmap config * : backend = tdb
include = /etc/samba/local_shares.conf
Note: I have substituted the domain which I'm using with "example.com"
and the AD domain with "EXAMPLENET" for policy reasons.
Cheers!
--
Markus
More information about the samba
mailing list