debian 10: I can not integrate a linux machine into a Samba Ad

Thu May 9 08:25:18 UTC 2019

See inline comments:

On Thu, 9 May 2019 09:29:05 +0200
nathalie ramat via samba-technical <samba-technical at lists.samba.org>
wrote:

> I configured smb.conf at my server :

Er, no, you misconfigured your smb.conf on the DC ;-)

> # global parameters
> [global]

>       winbind enum users = yes
>       winbind enum groups = yes
>       winbind use default domain = yes
>       winbind separator = /
>       idmap config *:backend = tdb
>       idmap config *:range = 1000-19000Ã©rÃ© correctement semble-t-il.
>       host msdfs = no
>       security = user
>       name resolve order = host
> #    ntlm auth = yes
> #     raw NTLMV2 auth = yes
> #    lanman auth =yes
> #    vfs objects = acl_xattr
>       map acl inherit = Yes
> #    store dos attributes = Yes

I would suggest you remove the above lines, they either have no place
in A Samba AD DC or slow things down.

> and my linux user :
> 
> [global]
>       security = ads
>       realm = lenzspitze.calais.fr

Change the realm to uppercase

>       workgroup = LENZSPITZE
>       netbios name = testbugster
>       winbind separator = /
>       ntlm auth = yes
>       idmap uid = 0-50000
>       idmap gid = 0-50000

No, that's the old way of doing things

>       winbind enum users = yes
>       winbind enum groups = yes

Once everything is working, remove the two lines above, they are only
required for testing purposes.

>       idmap config LENZSPITZE : backend = rid
>       idmap config LENZSPITZE : base_rid = 0

You do not have to set the base_rid, but what you do have to do, set
the 'idmap config' lines. See here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Finally, you really should have posted this to the samba mailing list,
not to the samba-technical list

Rowland