[Samba] net ads status stripped output

Rowland penny rpenny at samba.org
Wed Jun 3 15:13:00 UTC 2020

On 03/06/2020 15:38, Markus Lindberg wrote:
> Nope, we are using good old local accounts added to passwd and shadow.
Users added to /etc/passwd on an AD joined machine are just local users 
and you cannot have the same username in /etc/passwd and AD.
> Does this apply _even_ if I'm using Samba to authenticate any users? I
> do not fully comprehed how Samba works, which I need to read up on. Is
> it perhaps used if a user mounts a network share via cifs?

If you use the winbind 'ad' backend, you must add a unique uidNumber to 
your users in AD (which, as I said, must not exist in /etc/passwd), you 
must also add a gidNumber attribute to Domain Users. All of these 
numbers must be inside the DOMAIN range you set in smb.conf, for 
instance, if your line is:

idmap config SAMDOM : range = 10000-999999

All the numbers must be inside '10000-999999' and you can have a user 
with the same uidNumber as a groups gidNumber. i.e. a users uidNumber 
could be '10000' and the group Domain Users could have the gidNumber 

If you do not want to add anything to AD, you could use the rid backend, 
but you would need to use exactly the same smb.conf on all Unix 
machines. The part about not having users & groups in /etc/passwd & 
/etc/group and in AD would still apply though.


More information about the samba mailing list