[Samba] New AD-DC missing some DNS Information

Rowland penny rpenny at samba.org
Sun Feb 14 21:08:26 UTC 2021

On 14/02/2021 20:34, Robert Steinmetz AIA wrote:
> Robert Steinmetz AIA wrote:
>> Thank you for all your help. Tomorrow I'm going to try again.
> I've redone my AD_DC and it seems to be working but I have some new 
> questions.
> I also have a couple of loose ends, samba-ad-dc is not starting on 
> boot and /etc/resolv.conf is being overwritten, even though I disabled 
> systemd-resolved. I think those are systemd issues - I'll figure them 
> out.
> In an earlier response it was mentioned that all AD users were Unix 
> users, how do they set the Unix parameters like shell and home 
> directory, does that come from system defaults? Do standard Unix 
> utilities work on those users like passwd?

Lets start with a couple of Linux commands:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
rowland at devstation:~$ grep 'rowland' /etc/passwd
rowland at devstation:~$

They clearly show that 'rowland' is a Unix user but isn't in /etc/passwd

If you use the 'ad' backend on Unix domain members, then you can use the 
uidNumber and gidNumber attributes from AD along with the other rfc2307 
attributes, you can also opt to set the Unix home directories & login 
shell in the smb.conf (note: this is the only way to these  on an AD DC 
or using anyother winbind backend.

Try reading: 

man idmap_ad

man idmap_rid

> We have in the past used the /homes share to connect users to their 
> Linux home directory.

You can still use the 'homes' share, though you will probably need a 
'root preexec' script to create the users directory as they connect (I 
can help you with this), note that you shouldn't confuse a users Unix 
share with a the users Windows home directory.

> I already have some Linux users in the passwd file.

If those users also need to be in AD, then you should remove them from 
/etc/passwd, they cannot be in both places.

> Is it possible for them them remain in /etc/passwd there and create a 
> user with the same name in the AD?

No, see above, also there is absolutely no need.

> Or should I add them to AD using samba-tool and provide the info from 
> /etc/passwd then delete the user from the passwd file.

in order: yes,probably no and yes. Unless there is a really good reason 
to use ID's in the 1000 plus range (I cannot think of one, but who knows)

> That seems implied in some of the documentation I read.

If it was our documentation, then where ? I will amend it to make it 
plain that users and  groups should only be in AD.

> Fortunately I don't have many on this computer. I like all users to be 
> both windows and Linux users.

That is very easy, as unlike earlier versions of Samba, you only need 
the user in one place, AD.


More information about the samba mailing list