[Samba] New AD-DC missing some DNS Information

Robert Steinmetz AIA rob at steinmetznet.com
Mon Feb 15 17:38:37 UTC 2021

Rowland penny via samba wrote:
> On 14/02/2021 20:34, Robert Steinmetz AIA wrote:
>> I also have a couple of loose ends, samba-ad-dc is not starting on 
>> boot and /etc/resolv.conf is being overwritten, even though I 
>> disabled systemd-resolved. I think those are systemd issues - I'll 
>> figure them out.
I got samba to start up it simply needed to be enabled with systemd 
Ubuntu provides a service file.
The /etc/resolv.conf is still getting overwritten.
> Lets start with a couple of Linux commands:
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> rowland at devstation:~$ grep 'rowland' /etc/passwd
> rowland at devstation:~$
In my case I've added a user 'debbie'
# wbinfo -u

I created the user using samba-tool and supplied all of the Linux 
options for /etc/passwd

# getent passwd 'debbie'

# grep 'debbie' /etc/passwd

# samba-tool user show debbie
dn: CN=debbie,CN=Users,DC=no,DC=steinmetznet,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: debbie
instanceType: 4
whenCreated: 20210214210450.0Z
whenChanged: 20210214210450.0Z
uSNCreated: 4077
name: debbie
objectGUID: 579819ff-3d53-4af6-bcfa-ffce4cb55968
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: /home/debbie
homeDrive: U
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-1775027329-1415986002-557698206-1103
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: debbie
sAMAccountType: 805306368
userPrincipalName: debbie at no.steinmetznet.com
CN=Person,CN=Schema,CN=Configuration,DC=no,DC=steinmetznet,DC= com
uid: debbie
uidNumber: 1001
gidNumber: 1001
loginShell: /bin/bash
unixHomeDirectory: /home/debbie
pwdLastSet: 132578102905967880
userAccountControl: 512
uSNChanged: 4080
distinguishedName: CN=debbie,CN=Users,DC=no,DC=steinmetznet,DC=com

> If you use the 'ad' backend on Unix domain members, then you can use 
> the uidNumber and gidNumber attributes from AD along with the other 
> rfc2307 attributes,
That's what I think I did with samba-tool
> you can also opt to set the Unix home directories & login shell in the 
> smb.conf (note: this is the only way to these  on an AD DC or using 
> anyother winbind backend.
I don't understand what you're saying here. Particularly the part after 
the paren.

> Try reading: 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> man idmap_ad
> man idmap_rid
>> We have in the past used the /homes share to connect users to their 
>> Linux home directory.
> You can still use the 'homes' share, though you will probably need a 
> 'root preexec' script to create the users directory as they connect (I 
> can help you with this), note that you shouldn't confuse a users Unix 
> share with a the users Windows home directory.
In our current set up each user has a Windows profile and a Unix home 
directory which is mounted as a /homes share to a drive letter. That is 
used to store user specific information and things like the users 
profile for email clients and other user specific information. I'm not 
clear on what a Windows Home directory is. That is something I think I 
can leave till later.
>> Or should I add them to AD using samba-tool and provide the info from 
>> /etc/passwd then delete the user from the passwd file.
> in order: yes,probably no and yes. Unless there is a really good 
> reason to use ID's in the 1000 plus range (I cannot think of one, but 
> who knows)
The only difference I can see from samba tool and /etc/passwd is the 
uid. did I miss something? Is the reason to use a different range simply 
to avoid conflicts?

Also is it necessary to modify nsswitch.conf to include winbind?

More information about the samba mailing list