[Samba] wbinfo work getent passwd does

basti mailinglist at unix-solution.de
Wed Apr 21 13:10:38 UTC 2021 


On 14.04.21 15:24, Rowland penny via samba wrote:
> On 14/04/2021 14:05, basti via samba wrote:
>>
>>
>> yes the uid=100 is seen on AD DC.
>> On an dc in an other domain upgrade from nt4 it looks like:
>> gid=30000(BUILTIN\users) groups=30000(BUILTIN\users)
> 
> 
> I would suggest you remove that gidNumber from 'dn: 
> CN=Users,CN=Builtin,.......'
> 
>>
>> sorry my greylister delay your message.
>> yes all users has:
>>
>> - uidNumber
>> - gidNumber
> 
> 
> Yes, but are they in the range you set in smb.conf for the DOMAIN ?
> 
>>
>>>
>>> You could try changing these lines:
>>>
>>>    idmap config SAMDM:backend = ad
>>>    idmap config SAMDOM:schema_mode = rfc2307
>>>    idmap config SAMDOM:range = 7000-20000
>>> For these:
>>>
>>>    idmap config SAMDM:backend = rid
>>>    idmap config SAMDOM:range = 7000-20000
>>>
>>> Restart Samba and see if 'getent passwd A_USERNAME' works, replace 
>>> A_USERNAME with a valid AD user.
>>
>> for now it works, I do not understand what was the problem before. 
> 
> 
> If it works with the 'rid' backend, then your range for the 'ad' backend 
> does not match the uidNumber & gidNumber attributes in AD.
> 
> Rowland
> 
> 
> 
> 

getent passwd does not work anymore:
wbinfo show domain users.


[global]

    security = ADS
    workgroup = NET
    realm = NET.EXAMPLE.COM

    log file = /var/log/samba/%m.log
    log level = 3

    idmap config * : backend = tdb
    idmap config * : range = 1000-6999


    # idmap config for the NET domain
    idmap config NET:backend = ad
    idmap config NET:schema_mode = rfc2307
    idmap config NET:range = 7000-20000

     winbind enum users = yes
     winbind enum groups = yes
     winbind use default domain = yes

     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes

     # https://lists.samba.org/archive/samba/2014-August/184359.html
     winbind refresh tickets = yes

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab

####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
    server role = member server



on dc:

dc1:~# getent passwd user1
NET\user1:*:7101:100::/home/NET/user1:/bin/false

More information about the samba mailing list