[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend

Gary Dale gary at extremeground.com
Wed Apr 26 18:40:53 UTC 2023

On 2023-04-26 13:54, Rowland Penny via samba wrote:
> On 26/04/2023 18:27, Gary Dale via samba wrote:
>> No. I am running the tests suggested by the various Samba wiki pages. 
>> I can do a getent passwd <local account> on my workstation and on my 
>> file & print server but I can't do a getent passwd <domain account> 
>> except on my DC. I explicitly showed that in the message before the 
>> one you replied to. I also showed how I can't do a login to a domain 
>> account except on the DC.
>> This failure to get domain account information seems likely to be at 
>> the heart of the problems I'm having.
> So you are running 'getent passwd gary' and getting no output, this is 
> usually caused by libpam-winbind and libnss-winbind not being 
> installed, or /etc/nsswitch.conf not being configured correctly, the 
> relevant lines from mine look like this:
> passwd:         files winbind
> group:          files winbind

installed and configured correctly

> Or pam-auth-update is configured correctly, again these are the lines 
> from mine:
> [*] Unix authentication
> [*] Winbind NT/Active Directory authentication
> [*] Register user sessions in the systemd control group ...
> [*] Create home directory on login
Have an extra entry for systemd that is checked but have Create home 
directory on login unchecked. Shouldn't cause the problems I'm seeing.

> Or you are using the 'ad' idmap backend on a Unix domain member and 
> haven't added a uidNumber attribute to the users and added a gidNumber 
> attribute to the Domain Users group. The numbers you use in these 
> attributes have to be unique, though you can use the same range for 
> users and groups, that is 'gary' could have the ID 10000 and Domain 
> Users could also the same ID 10000. Whatever numbers you use, the 
> Domain idmap config line in smb.conf must enclose those numbers e.g.
> idmap config DOMAIN : range = 10000-999999

Ah, so that explains it. I originally was using autorid because that 
seemed the best fit for my circumstances but you complained about me 
doing that. Re-reading the 
I see it mentions that I have to add a the uidNumber and gidNumber 
attributes without actually telling me how to do it.

I found 
which gives insufficient instruction in the matter. I note, for example, 
the line:
samba-tool user addunixattrs sambauser uid --gid-number=gid 
--login-shell=/bin/bash --unix-home=/home/sambauser

which I think may be better written as:

samba-tool user addunixattrs <sambauser> <uid> --gid-number=<gid> 
--login-shell=/bin/bash --unix-home=/home/<sambauser>

followed by an example showing reasonable values (or some discussion 
about what those values should be). My immediate reaction would be to 
use normal Linux user ids (i.e. starting at 1000 on Debian) and group 
ids (i.e. 100 is the normal group for users). However, you have reacted 
in horror to that idea, so this would probably be a good wiki to present 
an explanation as to why it is a bad idea,

> You may have done all of these, if so I will have another think.
> Rowland

More information about the samba mailing list