samba - Sep 2016 - Nested OU’s fail to return user / group lookups

Hi all, 

 
I have a configuration for a samba file server that I’m trying to get properly
implemented. The issue isn’t with the shares but is with the user and groups
lookups.
The server resides in a nested container such as: 

 
>> samdom.com 
         >> Users_And_Computers 
                  >> CA_LOCATION_ON 
                        >> Servers 
                        >> Desktops 
                        >> Laptops 
                        >> Users 

 
So the path is something like this: 
OU=Servers,OU=CA_LOCATION_ON,OU=Users_And_Computers,DC=samdom,DC=com 

 
The server is a debian 8.5 with all the latest patches and hand configured samba
(4.4.5) as per the samba wiki instructions.

 
I am currently only running winbind on the server for user and group lookups and
I am able to see the users that are in all of the containers via the wbinfo -u
command
However, if I run getent passwd it returns lots of users but none in the sub
OU’s in the domain. 

 
If I run an "id <username>" it is never able to find any of the
users who are in the sub OU’s.

 
Here is the output of my smb.conf file. I’m curious to know if there is
something else I need to do in order to get samba looking in the sub OU’s or if
its not possible to do that then I’d also like to know so I can stop bashing my
head against my desk here. 

 
---------------------------------------------------------------------------------------------------------------------------------------
[global] 

 
       netbios name = MSCAPRDHOMDIR1 
       security = ADS 
       workgroup = SAMDOM  
       realm = SAMDOM.COM  

 
       log file = /var/log/samba/%m.log 
       log level = 1 

 
       # Default idmap config used for BUILTIN and local windows accounts/groups
       idmap config *:backend = tdb 
       idmap config *:range = 2000-9999 

 
       # idmap config for domain SAMDOM 
       idmap config SAMDOM:backend = ad 
       idmap config SAMDOM:schema_mode = rfc2307 
       idmap config SAMDOM:range = 10000-99999 

 
       # Use settings from AD for login shell and home directory 
       winbind nss info = rfc2307 
       winbind enum users = yes 
       winbind enum groups = yes 
       winbind use default domain = yes 
       winbind nested groups = yes 

 
       # Use template settings for login shell and home directory 
       winbind nss info = template 
       template shell = /sbin/bash 
       template homedir = /home/%U 

 
       vfs objects = acl_xattr 
       map acl inherit = yes 
       store dos attributes = yes 

 
---------------------------------------------------------------------------------------------------------------------------------------

 
I’ve tried it with both the backend as “ad” and “rid” with the exact same
results. I’m sure its something that I’m missing if its possible but I’m not
sure what it is.
When we do the same binding on a Mac OS X based computer, we can dictate where
the computer goes into the container and it binds fine and I can lookup the
users, so I would think looking up the sub OU’s is fine since it works on
another OS, so it’s something I’m missing on the SAMBA configuration side.

 
I should note that I can obtain kerberos tickets on the samba server side with
kinit <username> of a user in the sub OU and it works perfectly fine and I
can also destroy the ticket as well without issue.

 
I have the standard nssswitch configured with winbind in the passwd and group
section pointing to winbind.

 
I also have a mix of users that have the unix attributes enabled and disabled in
the sub contiainer and that also seems to make no difference in terms of having
the wbinfo and getent passwd return any different results. 

 
Thank you very much in advance for any help / advise you can provide and if
there are any links you can point me to I’d also be very appreciative as I’m a
little lost / confused trying to figure out how to get this working properly.

 

 

 
__ 

 

 
DT