samba - Aug 2016 - File Server recognize users and groups AD

>Sorry, but the lines you have added to the [global] section of 
>your smb.conf will do nothing on an AD DC. 
>Does 'getent group Domain\ Admins' produce any output ? 
>If not you need to set up libnss-winbind. 
>Rowland

Dear Rowland; 
I appreciate the contact. 

The commands: 
getent group 'DOMAIN\Domain Admins' 
getent group 'Domain Admins' 

Return nothing! 

When I run only this command: getent group 
It returns only Unix / Linux groups 

Regarding Smb.conf could show me what needs to be changed? 
This smb.conf refers to the secondary DC + file server. 

About libnss-winbind, could indicate some site so I can do a study?

On Fri, 5 Aug 2016 12:26:24 +0000 (UTC)
Ricardo Pardim Claus <ricardo.claus at yahoo.com.br> wrote:
> Dear Rowland; 
> I appreciate the contact. 
> 
> The commands: 
> getent group 'DOMAIN\Domain Admins' 
> getent group 'Domain Admins' 
> 
> Return nothing! 
When I run the command on the DC I joined to the one I provisioned, I
get this:

root at dc2:~# getent group Domain\ Admins
SAMDOM\domain admins:x:3000008:
> 
> When I run only this command: getent group 
> It returns only Unix / Linux groups 
This also the result I get, you need to add these two lines to smb.conf:

	winbind enum users = yes
	winbind enum groups = yes

After restarting samba, you should get the AD users or groups,
provided libnss-winbind is set up, see here for more info:

 https://wiki.samba.org/index.php/Libnss_winbind_links
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#libnss_winbind
> 
> Regarding Smb.conf could show me what needs to be changed? 
> This smb.conf refers to the secondary DC + file server. 
What you need to understand is that when you use a DC as a fileserver,
very few of the lines that you can add to a Unix domain member will
work on a DC. I would return the [global] part of your smb.conf to what
it was just after the join and then add this line 'idmap_ldb:use
rfc2307 = yes' 

If you have any questions about libnss-winbind, just ask, but please,
ask onlist.


Rowland

Dear Rowland 

Report that could solve the problem by using your tips. 
I modified my smb.conf by adding these lines: 

winbind enum users = yes 
winbind enum groups = yes 

Then I followed the steps indicated on this page: 
https://wiki.samba.org/index.php/Libnss_winbind_links 

Now yes, when I run the command "getent group "Domain
Admins"" or "getent group", I appear all (Unix and Active
Directory).

To end this post, I have another doubt. These settings need to be made up at all
Samba servers on my network? Or only on the file server?

Rowland, 
Here in the forum, if this post I opened when I go to answer any question from
you, I answer the email only to the list of Samba or include your email too?

Thank you!

On Sat, 6 Aug 2016 10:47:22 +0000 (UTC)
Ricardo Pardim Claus <ricardo.claus at yahoo.com.br> wrote:
> Dear Rowland 
> 
> Report that could solve the problem by using your tips. 
> I modified my smb.conf by adding these lines: 
> 
> winbind enum users = yes 
> winbind enum groups = yes 
> 
> Then I followed the steps indicated on this page: 
> https://wiki.samba.org/index.php/Libnss_winbind_links 
> 
> Now yes, when I run the command "getent group "Domain
Admins"" or
> "getent group", I appear all (Unix and Active Directory). 
Great, glad to help.
> 
> To end this post, I have another doubt. These settings need to be
> made up at all Samba servers on my network? Or only on the file
> server?
You will need to do something similar on any Unix domain members you
add, but remember, domain members are set up differently from a DC.
  
> 
> Rowland, 
> Here in the forum, if this post I opened when I go to answer any
> question from you, I answer the email only to the list of Samba or
> include your email too? 
I don't know what email client you use, but you normally reply to
'all'
or 'mailing list' or similar. You keep sending replies to me and not to
the Samba mailing list, this breaks the thread, ideally you should just
reply to the mailing list.

Rowland 
> 
> Thank you!