On 28/01/16 19:56, Oliver Werner wrote:> Hello,
>
> I have add a new Samba Member Server to my domain successfully.
>
> I have configured Winbind and get the correct Output from wbinfo -u/-g
>
> getent passwd also works fine.
>
> But when type getent group command i will get only local groups.
>
> Mysteriously, I can put the ADS groups with the chgrp command.
> With ls -la command they are also shown after set on file or directory.
> The only thing is the getent group command does not show what i want.
>
> My smb.conf looks:
>
> [global]
> netbios name = VL02
> security = ADS
> workgroup = HQ
> realm = hq.local
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 60
>
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 500-1299
>
> # idmap config for domain HQKONTRAST
> idmap config HQ:backend = ad
> idmap config HQ:schema_mode = rfc2307
> idmap config HQ:range = 1300-99999
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
>
>
> uidNumber of Users start on 10000 and gidNumber of Groups on 1300. So the
IDs are in the range.
>
> Anyone knows the Problem or know how to fix?
>
> regards
>
> OLIVER WERNER
>
>
>
Firstly I wouldn't use '500' for the builtin start number, you now
have
nowhere for the Unix local users & groups, especially as most linux
distros start ordinary users & groups at 1000. You also don't have to
use a different range for the AD users and groups, can I suggest you add
a '0' on the end of the AD gidNumber attributes and then change the
range from '1300-99999' to '10000-99999'
Finally 'getent group' wont show anything on later versions of Samba,
try 'getent group adomaingroup'
Rowland