[Samba] samba-4-10 as Win2k16 member

Rowland penny rpenny at samba.org
Tue Mar 24 19:21:09 UTC 2020

On 24/03/2020 18:56, Dipl.-Ing. Péter Varkoly via samba wrote:
> Hi,
> I want to join samba 4.10.13 to an Win2k16 Server as member. The join
> was succesfully:
> net ads join -U administrator
> Using short domain name -- CRANIX
> Joined 'ADMIN' to dns domain 'cranix.win'
> wbinfo -u lists all users. But wininfo -u <username> delivers following
> error:
> wbinfo -i administrator
Forget Administrator on Unix domain member
> Based on https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Yes, but only vaguely ;-)
> What went wrong?
Could be numerous things, you didn't read the pages correctly, you 
didn't add any uidNumber & gidNumber attributes to AD (they are not 
added automatically), or you are using sssd.

Try this smb.conf:

         realm = CRANIX.WIN
         workgroup = CRANIX
         security = ADS

         bind interfaces only = yes
         interfaces =,

         vfs objects = acl_xattr
         map acl inherit = Yes
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         winbind use default domain = yes
         winbind refresh tickets = Yes

         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
         idmap config CRANIX : backend = rid
         idmap config CRANIX : range = 10000-999999

         # user Administrator workaround, without it you are unable to 
set privileges
         username map = /etc/samba/user.map

Create the user.map:

echo '!root = Administrator' > /etc/samba/user.map

With that smb.conf, you will not have to add anything to AD.

Also, if you are using sssd, you should remove it, you cannot use sssd 
with Samba >= 4.8.0 running as a fileserver.


More information about the samba mailing list