[Samba] net ads status stripped output

Rowland penny rpenny at samba.org
Wed Jun 3 12:24:39 UTC 2020 

On 03/06/2020 12:44, Markus Lindberg wrote:
> I guess I'm running it as a 'normal' user as it is not a member of the
> 'Domain Admins' group. Though worth noting this does work on Ubuntu
> 18.04 running Samba version 4.7.6-Ubuntu. Has there been some added
> restrictions when running `net ads status`? In my case I think I'm
> authenticating using a Kerberos ticket using a (service) account which
> has some additional access apart from a 'normal' domain user. To
> re-illitterate, this worked before.
There have been numerous updates between 4.7.x and 4.11.x, any of these 
could have caused the change.
>
>> This is Samba config being used (displayed using testparm command).
>>
>> # testparm
>>
>> [global]
>>
>>        server min protocol = NT1
> Why 'NT1' ?
You never explained why you are using 'NT1'
> Not sure but I can update these options.
I hope by 'update' you mean 'remove' ;-)
>>> Why are you using the range '200-30000' ?
> Same thing, I'm not sure, but I will update this one as well.
>
>>> Have you added any uidNumber and gidNumber attributes to AD ?
> No since we are not using Samba to authenticate any users on the Ubuntu
> machines. We only use Samba to join the computer to the Active Directory
> domain.

Reading between the lines, it sounds like you are using sssd, if so, you 
need to configure smb.conf to use idmap_sss and have no shares. You 
cannot use sssd with Samba >= 4.8.0 and have shares.

If you are going to use idmap_ad (backend = ad), then you must add 
uidNumber and gidNumber attributes to AD

>
>>        include = /etc/samba/local_shares.conf
>>
>>> What is in the include file ?
> This file is empty and is intended as a config for users to maintain
> since the main ("smb.conf") config is maintained by a configuration
> manager (CFEngine). For example if a user wants to setup a share.
This is wrong as well, for that you should be using usershares
>
> I will most likely update the config to reflect the recommended options
> from the wiki [1].
>
> [1] https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba

Definitely read that, there is a lot of good info in it (and it will 
save me typing it again) ;-)

Rowland

More information about the samba mailing list