[Samba] net ads status stripped output

Markus Lindberg Markus.Lindberg at axis.com
Wed Jun 3 09:39:29 UTC 2020

Hi all,

I have successfully joined a Ubuntu 20.04 (focal) machine to a
Active Directory domain using ADS. Running the `net ads status` command
does not output the information that I expect.

This is an example of running `net ads status` on a Ubuntu 20.04
(focal) machine running Samba version 4.11.6-Ubuntu.

# net ads status
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
userAccountControl: 4096
dNSHostName: vb-lnxmarklind1.example.com
servicePrincipalName: RestrictedKrbHost/VB-LNXMARKLIND1
servicePrincipalName: HOST/VB-LNXMARKLIND1
servicePrincipalName: RestrictedKrbHost/VB-LNXMARKLIND1.example.com
servicePrincipalName: HOST/VB-LNXMARKLIND1.example.com
msDS-SupportedEncryptionTypes: 31

This is an example of running `net ads status` on a Ubuntu 18.04
(bionic) machine running Samba version 4.7.6-Ubuntu.

# net ads status
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: PC35864-1931
description: SE
distinguishedName: CN=PC35864-1931,OU=Clients,OU=SE,OU=Example,DC=example,DC=com
instanceType: 4
whenCreated: 20190801125845.0Z
whenChanged: 20200513124018.0Z
uSNCreated: 395716025
memberOf: CN=radgroup,OU=Groups,OU=SE,OU=Example,DC=example,DC=com
uSNChanged: 424497188
name: PC35864-1931
objectGUID: 06df8355-2b1f-417b-acaa-9a25b51df1fc
userAccountControl: 69632
codePage: 0
countryCode: 0
lastLogon: 132344471312139041
localPolicyFlags: 0
pwdLastSet: 132091379258085988
primaryGroupID: 515
objectSid: S-1-5-21-1801674531-113007714-682003330-67625
accountExpires: 9223372036854775807
logonCount: 13
sAMAccountName: PC35864-1931$
sAMAccountType: 805306369
operatingSystem: Linux Client
operatingSystemVersion: Ubuntu bionic
operatingSystemServicePack: Samba 4.7.6-Ubuntu
dNSHostName: pc35864-1931.se.example.com
managedBy: CN=John Doe,OU=Users,OU=SE,OU=Example,DC=example,DC=com
userPrincipalName: host/pc35864-1931.se.example.com at EXAMPLE.COM
servicePrincipalName: HOST/pc35864-1931.se.example.com
servicePrincipalName: HOST/PC35864-1931
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=com
isCriticalSystemObject: FALSE
dSCorePropagationData: 20190801130024.0Z
dSCorePropagationData: 20190801130024.0Z
dSCorePropagationData: 20190801130024.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132338463131471292
msDS-SupportedEncryptionTypes: 31

If we compare these two commands there are a lot of missing LDAP
attributes for the first command run on Ubuntu 20.04 running Samba
version 4.11.6-Ubuntu.

Both machines were joined to the same Active Directory domain using the
following command.


This is Samba config being used (displayed using testparm command).

# testparm 
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Can't find include file /etc/samba/local_shares.conf
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.


Press enter to see a dump of your service definitions

# Global parameters
	client ldap sasl wrapping = seal
	disable netbios = Yes
	kerberos method = secrets and keytab
	lm announce = No
	logging = syslog at 1 file
	realm = EXAMPLE.COM
	restrict anonymous = 2
	security = ADS
	server min protocol = NT1
	template shell = /bin/bash
	winbind expand groups = 2
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	winbind separator = +
	winbind use default domain = Yes
	workgroup = EXAMPLENET
	idmap config * : range = 300000-400000
	idmap config examplenet:unix_nss_info = yes
	idmap config examplenet:gid = 120-65535
	idmap config examplenet:uid = 120-65535
	idmap config examplenet:default = yes
	idmap config examplenet:range = 200-30000
	idmap config examplenet:backend = ad
	idmap config * : backend = tdb
	include = /etc/samba/local_shares.conf

Note: I have substituted the domain which I'm using with "example.com"
and the AD domain with "EXAMPLENET" for policy reasons.



More information about the samba mailing list