[Samba] New AD-DC missing some DNS Information

Rowland penny rpenny at samba.org
Mon Feb 15 18:28:35 UTC 2021

On 15/02/2021 17:38, Robert Steinmetz AIA wrote:
> The /etc/resolv.conf is still getting overwritten.

Probably systemd-resolved

> In my case I've added a user 'debbie'
> # wbinfo -u
> NO.STEINMETZNET\administrator

Why does your Netbios domain name have a dot in it ?

> I created the user using samba-tool and supplied all of the Linux 
> options for /etc/passwd
> # getent passwd 'debbie'
> #
> # grep 'debbie' /etc/passwd
> #

Do you have these packages installed: libpam-winbind libnss-winbind 

Do the passwd & group lines in /etc/nsswitch.conf look like this:

passwd: files winbind systemd

group: files winbind systemd

>> If you use the 'ad' backend on Unix domain members, then you can use 
>> the uidNumber and gidNumber attributes from AD along with the other 
>> rfc2307 attributes,
> That's what I think I did with samba-tool
>> you can also opt to set the Unix home directories & login shell in 
>> the smb.conf (note: this is the only way to these  on an AD DC or 
>> using anyother winbind backend.
> I don't understand what you're saying here. Particularly the part 
> after the paren.

OK, if you use the 'ad' backend on a Unix domain member, then you can 
(provide the 'idmap config' lines in smb.conf are set correctly) use the 
rfc2307 attributes from AD. If you use any other backend on a Unix 
domain member or log into a DC, then you must use the 'template shell' 
and 'template homedir' parameters. You can also use these template lines 
with the 'ad' backend if you wish.

See 'man idmap_ad' and 'man idmap_rid' for more info.

>>> We have in the past used the /homes share to connect users to their 
>>> Linux home directory.
>> You can still use the 'homes' share, though you will probably need a 
>> 'root preexec' script to create the users directory as they connect 
>> (I can help you with this), note that you shouldn't confuse a users 
>> Unix share with a the users Windows home directory.
> In our current set up each user has a Windows profile and a Unix home 
> directory which is mounted as a /homes share to a drive letter. That 
> is used to store user specific information and things like the users 
> profile for email clients and other user specific information. I'm not 
> clear on what a Windows Home directory is. That is something I think I 
> can leave till later.

You are mixing up the Windows home directory and the Unix home directory.

The Windows home directory is the one you should link to the Windows 
Drive letter, the Unix home directory is what the user would use if they 
log into a Unix domain member.

> The only difference I can see from samba tool and /etc/passwd is the 
> uid. did I miss something? Is the reason to use a different range 
> simply to avoid conflicts?

No, you cannot have the same user in /etc/passwd and AD, if you do the 
user in AD will be ignored and there is absolutely no reason to have the 
user in both databases. You may have done this with an old style 
NT4-style domain, but it isn't required any more, you users should all 
be in AD.

It might help if you read this:


> Also is it necessary to modify nsswitch.conf to include winbind?
Yes, no winbind in /etc/nsswitch.conf == no AD users


More information about the samba mailing list