[Samba] Samba as a domain member:

Vieri Di Paola vieridipaola at gmail.com
Tue Jun 16 10:51:23 UTC 2020

OK, interesting debate, but I still can't convert to SID.
I still get messages such as this one:

AUTH-PAM: BACKGROUND: my_conv[0] query='Cannot convert group GROUP to
sid, please contact your administrator to see if group GROUP is
valid.' style=4

# wbinfo -t
checking the trust secret for domain DOMAIN via RPC calls succeeded

# wbinfo --ping-dc
checking the NETLOGON for domain[DOMAIN] dc connection to
"dc02.domain.org" succeeded

# net ads info
LDAP server:
LDAP server name: dc02.domain.org
Bind Path: dc=DOMAIN,dc=ORG
LDAP port: 389
Server time: Tue, 16 Jun 2020 12:41:24 CEST
KDC server:
Server time offset: 0
Last machine account password change: Mon, 15 Jun 2020 11:37:02 CEST

This is my smb.conf file now:

   workgroup = DOMAIN
   security = ADS
   realm = DOMAIN.ORG
   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind use default domain = yes
   ; remove when in production:
   winbind enum users = yes
   winbind enum groups = yes
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
   log file = /var/log/samba/%m.log
   log level = 1
   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   idmap config DOMAIN : backend = rid
   idmap config DOMAIN : range = 10000-999999
   template shell = /bin/bash
   template homedir = /home/%U
   server string = SMB1
   pam password change = yes
   obey pam restrictions = yes
   dos charset = 850
   unix charset = ISO8859-1

I shouldn't define "idmap gid = " and "idmap uid = " here, right?

I'm not sure what to try next.


More information about the samba mailing list