samba - Dec 2020 - Client machine not fetching user accounts from AD domain

I have Samba AD DC working OK with a little over 400 domain members.
However, there is one single Debian server that's giving me trouble when I
add him to the AD.

There is a local user 'peter' with uid 905. Also there is user
'peter' in
the AD domain with id 10300.

*id peter* (on the Debian) provides the following output:

uid=905(peter) gid=905(peter)
groups=905(peter),27(sudo),1000(domaingroup),1001(domaingroup),10001(domaingroup),1035(domaingroup)

So basically, it's merging local user with the domain groups, instead of
pulling all the stuff from the AD domain. It's not respecting the
nsswitch.conf. Here it is:

passwd:       compat winbind
group:          compat winbind
shadow:        winbind files
gshadow:      winbind files

It gets even worse as I can only resolve users that have local profile.
Every other AD user isn't showing. If I try with another user, that
*doesn't
have local profile:*
*id userfromad*
id: ?userfromad ?: no such user
>From here I'm unable to use this user in this particular member:
*su userfromad*
No passwd entry for user 'userfromad '
(it's looking for local passwd entry, wtf)

Even though I can see and use this and every other other AD user from any
other of my 400 computers that are members of the AD DC this Debian machine
is refusing to work properly.

Next,

*wbinfo -u and wbinfo -g *provide all groups and users. So Winbind
obviously sees them as it should.

Here's my smb.conf as well

[global]

workgroup = DOM
realm = DOM.AIN
security = ADS

idmap config dom: unix_primary_group = yes
idmap config dom : unix_nss_info = no
idmap config dom : range = 1000-999999
idmap config dom : schema = rfc2307
idmap config dom : backend = ad

idmap config * : range = 300-999
idmap config * : backend = tdb

template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = True
winbind cache time = 5
winbind refresh tickets = Yes

winbind enum users = yes
winbind enum groups yes


Any suggestions will be appreciated.

On 14/12/2020 18:51, Z Z via samba wrote:
> I have Samba AD DC working OK with a little over 400 domain members.
> However, there is one single Debian server that's giving me trouble
when I
> add him to the AD.
>
> There is a local user 'peter' with uid 905. Also there is user
'peter' in
> the AD domain with id 10300.
Which one do you want keep ?

Decide which, then delete the other, you cannot have the same user in AD 
and in /etc/passwd
>
> *id peter* (on the Debian) provides the following output:
>
> uid=905(peter) gid=905(peter)
>
groups=905(peter),27(sudo),1000(domaingroup),1001(domaingroup),10001(domaingroup),1035(domaingroup)
Well it would, nsswitch checks /etc/passwd first
> So basically, it's merging local user with the domain groups, instead
of
> pulling all the stuff from the AD domain.
Yes, anything that is in /etc/passwd or /etc/group (that is also in AD) 
will be used before the AD data
>   It's not respecting the
> nsswitch.conf. Here it is:
>
> passwd:       compat winbind
> group:          compat winbind
> shadow:        winbind files
> gshadow:      winbind files
The first two lines are correct, but you shouldn't have 'winbind' in
the
other two lines.
>
> It gets even worse as I can only resolve users that have local profile.
I think by 'local profile' that you mean 'local Unix users' or
users
that are in /etc/passwd.
> Every other AD user isn't showing. If I try with another user, that
*doesn't
> have local profile:*
> *id userfromad*
> id: ?userfromad ?: no such user
Your computer has no idea who 'userfromad' is
>
>  From here I'm unable to use this user in this particular member:
>
> *su userfromad*
> No passwd entry for user 'userfromad '
> (it's looking for local passwd entry, wtf)
No, it is saying that nsswitch cannot find the user
>
> Even though I can see and use this and every other other AD user from any
> other of my 400 computers that are members of the AD DC this Debian machine
> is refusing to work properly.
Let me guess, the other computers are all Windows
machines.
>
> Next,
>
> *wbinfo -u and wbinfo -g *provide all groups and users. So Winbind
> obviously sees them as it should.
that is meaningless to Unix
>
> Here's my smb.conf as well
>
> [global]
>
> workgroup = DOM
> realm = DOM.AIN
> security = ADS
>
> idmap config dom: unix_primary_group = yes
> idmap config dom : unix_nss_info = no
> idmap config dom : range = 1000-999999
> idmap config dom : schema = rfc2307
> idmap config dom : backend = ad
>
> idmap config * : range = 300-999
> idmap config * : backend = tdb
Why such low numbers for the ranges ?

The '*' domain is mainly for the Well Known SID's, so you can
probably
get away with 300-999, but I wouldn't use it

Now we come to the big one, you are using the winbind 'ad' backend for 
the 'DOM' domain, so have you given your users a uidNumber attribute 
containing a unique number inside the 1000-999999 range ? and have you 
given the 'Domain Users' group, a gidNumber attribute inside the same 
range ? and as you have 'unix_primary_group = yes', have you given your 
users a gidNumber attribute containing the Unix ID (gidNumber) of the 
group that you want to use for each user ?

Rowland