[Samba] Unable to get primary group information when using AD authentication with samba-4.10.4
Rowland penny
rpenny at samba.org
Thu Mar 12 09:48:38 UTC 2020
On 11/03/2020 23:53, Goto, Ryoichi wrote:
> Hi, Rowland.
>
> Two days ago I sent the following email:
> So far you have given the answer that day, but this time it has not.
> Would you please reply to my email if you like?
> I used the property / attribute editor on the AD side and set the values ??of gidNumber and uidNumber of the user within the range.
> The "wbinfo -i" command gives the error "unknown user". Is there any other reason why the "ad" backend doesn't work? For example, it
> uses Redhat's samba package.
>
> Running "wbinfo -i" or "id":
> [root @ ms2 ~] # net ads join -U administrator
> Enter administrator's password:
> Using short domain name-TESTDOM
> Joined 'MS2' to dns domain 'oita-nhs.local'
> [root @ ms2 ~] # wbinfo -i oec0814e
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user oec0814e
> [root @ ms2 ~] # id oec0814e
> id: `oec0814e ': no ??such user
> [root @ ms2 ~] # wbinfo -u
> oec0814e
As far as I am aware, you should be able use any OS Samba packages as a
Unix domain member, it is just certain OS's that do not provide packages
that can be used as a DC.
What is worrying is that 'wbinfo -i' doesn't work. 'wbinfo' should go
direct to AD (via winbind), so is there a firewall blocking any of the
required ports ? see here:
https://wiki.samba.org/index.php/Samba_AD_DC_Port_Usage
Is Selinux or Apparmor running ?
Is sssd installed ?
This should work and when it doesn't, it is usually down to a
misconfiguration or missing uidNumber or gidNumber attributes. At a
minimum, any user you wish to be visible on a Unix domain member must
have a uidNumber and the Domain Users group must be have a gidNumber.
Try running 'net cache flush'
Rowland
More information about the samba
mailing list