I am trying to configure idmap_ad on a linux member server (fedora core
23, samba 4.3.11) with a Windows 2008 domain controller. The domain
is "MYDOMAIN.COM" with a child domain of
"CHILD1.MYDOMAIN.COM." By
default those domains trust each other.
The MYDOMAIN PDC has the unix identity mapping feature installed, so I
can use "active directory users and computers" to set unix uidNumbers
and gidNumbers (which start at 100.) I have set uidNumbers for some
users but not others. I have not up unix identity mapping on the
child domain.
The partial smb.conf is
security = ads
workgroup = MYDOMAIN
netbios name = LINUX1
realm = MYDOMAIN.COM
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 100-900
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
I did need to fix a symlink since samba was looking for some libraries
in the wrong place
#ln -s /usr/lib64/ldb /usr/lib64/samba/ldb
I was able to join the domain
#net ads join -U administrator -S pdc.mydomain.com
I set /etc/krb5.conf to point to the domain controllers as the kerberos
server (although I don't think this is necessary at this stage.)
the "wbinfo -u" and "wbinfo -g" show users from the domain.
I updated /etc/nsswitch.conf to include winbind
passwd: files sss winbind
shadow: files sss winbind
(sssd daemon is not enabled.)
The "getent passwd" command does NOT show users from MYDOMAIN. The
weird
thing is that it does show users from the child domain.
CHILD1\administrator:*:2000:2004:Administrator:/home/CHILD1/administrator:/bin/false
CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false
CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false
CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false
CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false
I tried the following settings with no luck
winbind nss info = templater
idmap config MYDOMAIN:schema_mode = sfu
winbind use default domain = yes
The "testparm -v | grep domain" gives the following
allow trusted domains = Yes
map untrusted to domain = No
domain logons = No
domain master = Auto
winbind use default domain = No
winbind trusted domains only = No
winbind max domain connections = 1
FYI I do have another linux machine , not running samba, that is
configured to use LDAP/Kerberos authentication against the same domain
controller so I am pretty use the unix attributes are set up correctly.
Appreciate any help.
Thanks
See inline comments: On Mon, 19 Sep 2016 17:36:05 -0400 Gaiseric Vandal via samba <samba at lists.samba.org> wrote:> > > I am trying to configure idmap_ad on a linux member server (fedora > core 23, samba 4.3.11) with a Windows 2008 domain controller. The > domain is "MYDOMAIN.COM" with a child domain of > "CHILD1.MYDOMAIN.COM." By default those domains trust each other. > > > > The MYDOMAIN PDC has the unix identity mapping feature installed, so > I can use "active directory users and computers" to set unix > uidNumbers and gidNumbers (which start at 100.) I have set > uidNumbers for some users but not others. I have not up unix > identity mapping on the child domain.This may be your problem, why are using 100-900 ? standard Unix users start at 1000, BUILTIN and anything outside the domain is using 2000-9999, so why not use IDs starting at 10000 ??? Have you also given Domain Users a gidNumber ??> > > > The partial smb.conf is > > > security = ads > > > workgroup = MYDOMAIN > netbios name = LINUX1 > > realm = MYDOMAIN.COM > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > > idmap config MYDOMAIN:backend = ad > idmap config MYDOMAIN:schema_mode = rfc2307 > idmap config MYDOMAIN:range = 100-900 > > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > > > > > > I did need to fix a symlink since samba was looking for some > libraries in the wrong place > > > #ln -s /usr/lib64/ldb /usr/lib64/samba/ldb > > > > I was able to join the domain > > #net ads join -U administrator -S pdc.mydomain.com > > > I set /etc/krb5.conf to point to the domain controllers as the > kerberos server (although I don't think this is necessary at this > stage.)You needed this set up before you joined the domain and it should point to the realm.> > the "wbinfo -u" and "wbinfo -g" show users from the domain. > > > I updated /etc/nsswitch.conf to include winbind > > > passwd: files sss winbind > shadow: files sss winbindI would suggest removing 'sss' if you are not using it, also remove 'winbind' from the shadow line and putting it on the group line.> > > (sssd daemon is not enabled.) > > > The "getent passwd" command does NOT show users from MYDOMAIN. The > weird thing is that it does show users from the child domain.Well, it would, they are getting mapped because they are not in your domain.> > > > CHILD1\administrator:*:2000:2004:Administrator:/home/CHILD1/administrator:/bin/false > CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false > CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false > CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false > CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false > > > I tried the following settings with no luck > > winbind nss info = templaterI take it that is a typo and should have been 'template' and all that does (if using the 'ad' backend) is just use uidNumber & gidNumber attributes.> > idmap config MYDOMAIN:schema_mode = sfuIf using 'ad' backend, just stick to 'schema_mode = rfc2307'> > winbind use default domain = yesThis just removes the domain name from user & groupnames.> > > The "testparm -v | grep domain" gives the following > > > > allow trusted domains = Yes > map untrusted to domain = No > domain logons = No > domain master = Auto > winbind use default domain = No > winbind trusted domains only = No > winbind max domain connections = 1 > > > > FYI I do have another linux machine , not running samba, that is > configured to use LDAP/Kerberos authentication against the same > domain controller so I am pretty use the unix attributes are set up > correctly. > > Appreciate any help.It might well do, but winbind works differently, see here for more info: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Rowland
Try to create simbolic links to samba4 winbind libraries: ln -sf /lib/x86_64-linux-gnu/libnss_winbind.so /usr/local/samba/lib/libnss_winbind.so ln -sf /lib/x86_64-linux-gnu/libnss_winbind.so /usr/local/samba/lib/libnss_winbind.so.2 ln -sf /usr/lib/x86_64-linux-gnu/libnss_winbind.so /usr/local/samba/lib/libnss_winbind.so ln -sf /usr/lib/x86_64-linux-gnu/libnss_winbind.so /usr/local/samba/lib/libnss_winbind.so.2 An then, restart samba. Att, 2016-09-20 5:49 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:> > See inline comments: > > On Mon, 19 Sep 2016 17:36:05 -0400 > Gaiseric Vandal via samba <samba at lists.samba.org> wrote: > > > > > > > I am trying to configure idmap_ad on a linux member server (fedora > > core 23, samba 4.3.11) with a Windows 2008 domain controller. The > > domain is "MYDOMAIN.COM" with a child domain of > > "CHILD1.MYDOMAIN.COM." By default those domains trust each other. > > > > > > > > The MYDOMAIN PDC has the unix identity mapping feature installed, so > > I can use "active directory users and computers" to set unix > > uidNumbers and gidNumbers (which start at 100.) I have set > > uidNumbers for some users but not others. I have not up unix > > identity mapping on the child domain. > > This may be your problem, why are using 100-900 ? standard Unix users > start at 1000, BUILTIN and anything outside the domain is using > 2000-9999, so why not use IDs starting at 10000 ??? > > Have you also given Domain Users a gidNumber ?? > > > > > > > > > The partial smb.conf is > > > > > > security = ads > > > > > > workgroup = MYDOMAIN > > netbios name = LINUX1 > > > > realm = MYDOMAIN.COM > > > > idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > > > > > idmap config MYDOMAIN:backend = ad > > idmap config MYDOMAIN:schema_mode = rfc2307 > > idmap config MYDOMAIN:range = 100-900 > > > > winbind nss info = rfc2307 > > winbind enum users = yes > > winbind enum groups = yes > > > > > > > > > > > > I did need to fix a symlink since samba was looking for some > > libraries in the wrong place > > > > > > #ln -s /usr/lib64/ldb /usr/lib64/samba/ldb > > > > > > > > I was able to join the domain > > > > #net ads join -U administrator -S pdc.mydomain.com > > > > > > I set /etc/krb5.conf to point to the domain controllers as the > > kerberos server (although I don't think this is necessary at this > > stage.) > > You needed this set up before you joined the domain and it should point > to the realm. > > > > > the "wbinfo -u" and "wbinfo -g" show users from the domain. > > > > > > I updated /etc/nsswitch.conf to include winbind > > > > > > passwd: files sss winbind > > shadow: files sss winbind > > I would suggest removing 'sss' if you are not using it, also remove > 'winbind' from the shadow line and putting it on the group line. > > > > > > > (sssd daemon is not enabled.) > > > > > > The "getent passwd" command does NOT show users from MYDOMAIN. The > > weird thing is that it does show users from the child domain. > > Well, it would, they are getting mapped because they are not in your > domain. > > > > > > > > > CHILD1\administrator:*:2000:2004:Administrator:/home/ > CHILD1/administrator:/bin/false > > CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false > > CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false > > CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false > > CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false > > > > > > I tried the following settings with no luck > > > > winbind nss info = templater > > I take it that is a typo and should have been 'template' and all that > does (if using the 'ad' backend) is just use uidNumber & gidNumber > attributes. > > > > > idmap config MYDOMAIN:schema_mode = sfu > > If using 'ad' backend, just stick to 'schema_mode = rfc2307' > > > > > winbind use default domain = yes > > This just removes the domain name from user & groupnames. > > > > > > > The "testparm -v | grep domain" gives the following > > > > > > > > allow trusted domains = Yes > > map untrusted to domain = No > > domain logons = No > > domain master = Auto > > winbind use default domain = No > > winbind trusted domains only = No > > winbind max domain connections = 1 > > > > > > > > FYI I do have another linux machine , not running samba, that is > > configured to use LDAP/Kerberos authentication against the same > > domain controller so I am pretty use the unix attributes are set up > > correctly. > > > > Appreciate any help. > > It might well do, but winbind works differently, see here for more info: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- ------------------------------------------- Edson Tadeu Almeida Silveira http://sites.google.com/site/edsontadeu/ -------------------------------------------
Hi
Thanks for the feedback.
I currently have 3 production domains.
- MYDOMAIN.COM is a production Windows 2008 domain used to support MS
Exchange (but not file sharing.)
- TECH - Samba3 "classic" domain with unix domain controllers
that
supports most users for authentication and file sharing. The DC
machines are both Samba domains (for Windows clients) and KRB/LDAP
servers for Linux clients.
- SALES -Small Win 2008 AD domain for a separate group.
I want to eventually build a TECH.MYDOMAIN.COM domain as a child
domain of MYDOMAIN.COM and migrate computers from the "classic" TECH
domain to the new TECH.MYDOMAIN.COM. I will want to preserve user
ID numbers as much as possible. Some of the user accounts go back 15
years in the production TECH domain, when local service accounts didn't
go over uidNumber 100. For the moment I am just testing machines in
the parent domain rather than add too many variables upfront.
" winbind nss info = templater" was a typo, I did try
"winbind nss
info = templates"
I fixed nsswitch.conf
I think I had krb.conf set up properly with realm before joining the domain.
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = pdc.mydomain.com
admin_server = pdc.mydomain.com
}
[domain_realm]
mydomain.com = MYDOMAIN.COM
.mydomain.com = MYDOMAIN.COM
#
But to be safe I did rejoin domain
# net ads join -U administrator -S pdc.mydomain.com
Enter administrator's password:
Using short domain name -- MYDOMAIN
Joined 'LINUX1' to dns domain 'mydomain.com'
#
# net ads testjoin
Join is OK
#
Set a uidNumber of 1000 for one of the user accounts and updated the
idmap range for MYDOMAIN to be from 100-1999.
Still not luck.
Kinit indicates the machine account does exist
# kinit linux1
Password for linux1 at MYDOMAIN.COM: ^C
Since mapping for the child domain is working it indicates that the
idmap_tdb back is OK and that the problem may be with idmap_ad ?
#smbd -b
....
--with Options:
WITH_ADS
WITH_AUTOMOUNT
WITH_DNS_UPDATES
WITH_PAM
WITH_PAM_MODULES
WITH_PROFILE
WITH_PTHREADPOOL
WITH_QUOTAS
WITH_SENDFILE
WITH_SYSLOG
WITH_WINBIND
...
Builtin modules:
vfs_posixacl auth_sam auth_winbind auth_domain auth_builtin
vfs_default nss_info_template idmap_tdb idmap_passdb idmap_nss
idmap_ldap
#
Build Options:
...
auth_netlogond_init
auth_samba4_init
auth_script_init
auth_server_init
auth_unix_init
auth_wbc_init
idmap_ad_init
idmap_adex_init
idmap_autorid_init
idmap_hash_init
idmap_rfc2307_init
idmap_rid_init
idmap_script_init
idmap_tdb2_init
....
I could presumably use idmap_ldap to maintain a consistent mapping
across machines. Since file servers serve users from both Windows and
Unix systems, it is important to make sure that the uidNumbers and
gidNumbers are consistent across machines and between Unix and Samba.
I am a little hesitant to try recompiling samba because then I am not
sure if nsswitch is calling the correct winbind files.
Thanks
On 09/20/16 04:49, Rowland Penny via samba wrote:> See inline comments:
>
> On Mon, 19 Sep 2016 17:36:05 -0400
> Gaiseric Vandal via samba <samba at lists.samba.org> wrote:
>
>>
>> I am trying to configure idmap_ad on a linux member server (fedora
>> core 23, samba 4.3.11) with a Windows 2008 domain controller. The
>> domain is "MYDOMAIN.COM" with a child domain of
>> "CHILD1.MYDOMAIN.COM." By default those domains trust each
other.
>>
>>
>>
>> The MYDOMAIN PDC has the unix identity mapping feature installed, so
>> I can use "active directory users and computers" to set unix
>> uidNumbers and gidNumbers (which start at 100.) I have set
>> uidNumbers for some users but not others. I have not up unix
>> identity mapping on the child domain.
> This may be your problem, why are using 100-900 ? standard Unix users
> start at 1000, BUILTIN and anything outside the domain is using
> 2000-9999, so why not use IDs starting at 10000 ???
>
> Have you also given Domain Users a gidNumber ??
>
>>
>>
>> The partial smb.conf is
>>
>>
>> security = ads
>>
>>
>> workgroup = MYDOMAIN
>> netbios name = LINUX1
>>
>> realm = MYDOMAIN.COM
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>>
>>
>> idmap config MYDOMAIN:backend = ad
>> idmap config MYDOMAIN:schema_mode = rfc2307
>> idmap config MYDOMAIN:range = 100-900
>>
>> winbind nss info = rfc2307
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>>
>>
>>
>>
>> I did need to fix a symlink since samba was looking for some
>> libraries in the wrong place
>>
>>
>> #ln -s /usr/lib64/ldb /usr/lib64/samba/ldb
>>
>>
>>
>> I was able to join the domain
>>
>> #net ads join -U administrator -S pdc.mydomain.com
>>
>>
>> I set /etc/krb5.conf to point to the domain controllers as the
>> kerberos server (although I don't think this is necessary at this
>> stage.)
> You needed this set up before you joined the domain and it should point
> to the realm.
>
>> the "wbinfo -u" and "wbinfo -g" show users from
the domain.
>>
>>
>> I updated /etc/nsswitch.conf to include winbind
>>
>>
>> passwd: files sss winbind
>> shadow: files sss winbind
> I would suggest removing 'sss' if you are not using it, also remove
> 'winbind' from the shadow line and putting it on the group line.
>
>>
>> (sssd daemon is not enabled.)
>>
>>
>> The "getent passwd" command does NOT show users from
MYDOMAIN. The
>> weird thing is that it does show users from the child domain.
> Well, it would, they are getting mapped because they are not in your
> domain.
>
>>
>>
>>
CHILD1\administrator:*:2000:2004:Administrator:/home/CHILD1/administrator:/bin/false
>> CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false
>> CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false
>> CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false
>> CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false
>>
>>
>> I tried the following settings with no luck
>>
>> winbind nss info = templater
> I take it that is a typo and should have been 'template' and all
that
> does (if using the 'ad' backend) is just use uidNumber &
gidNumber
> attributes.
>
>> idmap config MYDOMAIN:schema_mode = sfu
> If using 'ad' backend, just stick to 'schema_mode =
rfc2307'
>
>> winbind use default domain = yes
> This just removes the domain name from user & groupnames.
>
>>
>> The "testparm -v | grep domain" gives the following
>>
>>
>>
>> allow trusted domains = Yes
>> map untrusted to domain = No
>> domain logons = No
>> domain master = Auto
>> winbind use default domain = No
>> winbind trusted domains only = No
>> winbind max domain connections = 1
>>
>>
>>
>> FYI I do have another linux machine , not running samba, that is
>> configured to use LDAP/Kerberos authentication against the same
>> domain controller so I am pretty use the unix attributes are set up
>> correctly.
>>
>> Appreciate any help.
> It might well do, but winbind works differently, see here for more info:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> Rowland
>
>
try to add this line to smb.conf winbind expand groups = 10 20.09.2016 01:36, Gaiseric Vandal via samba:> > > I am trying to configure idmap_ad on a linux member server (fedora core > 23, samba 4.3.11) with a Windows 2008 domain controller. The domain > is "MYDOMAIN.COM" with a child domain of "CHILD1.MYDOMAIN.COM." By > default those domains trust each other. > > > > The MYDOMAIN PDC has the unix identity mapping feature installed, so I > can use "active directory users and computers" to set unix uidNumbers > and gidNumbers (which start at 100.) I have set uidNumbers for some > users but not others. I have not up unix identity mapping on the > child domain. > > > > The partial smb.conf is > > > security = ads > > > workgroup = MYDOMAIN > netbios name = LINUX1 > > realm = MYDOMAIN.COM > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > > idmap config MYDOMAIN:backend = ad > idmap config MYDOMAIN:schema_mode = rfc2307 > idmap config MYDOMAIN:range = 100-900 > > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > > > > > > I did need to fix a symlink since samba was looking for some libraries > in the wrong place > > > #ln -s /usr/lib64/ldb /usr/lib64/samba/ldb > > > > I was able to join the domain > > #net ads join -U administrator -S pdc.mydomain.com > > > I set /etc/krb5.conf to point to the domain controllers as the kerberos > server (although I don't think this is necessary at this stage.) > > the "wbinfo -u" and "wbinfo -g" show users from the domain. > > > I updated /etc/nsswitch.conf to include winbind > > > passwd: files sss winbind > shadow: files sss winbind > > > (sssd daemon is not enabled.) > > > The "getent passwd" command does NOT show users from MYDOMAIN. The weird > thing is that it does show users from the child domain. > > > > CHILD1\administrator:*:2000:2004:Administrator:/home/CHILD1/administrator:/bin/false > > CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false > CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false > CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false > CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false > > > I tried the following settings with no luck > > winbind nss info = templater > > idmap config MYDOMAIN:schema_mode = sfu > > winbind use default domain = yes > > > The "testparm -v | grep domain" gives the following > > > > allow trusted domains = Yes > map untrusted to domain = No > domain logons = No > domain master = Auto > winbind use default domain = No > winbind trusted domains only = No > winbind max domain connections = 1 > > > > FYI I do have another linux machine , not running samba, that is > configured to use LDAP/Kerberos authentication against the same domain > controller so I am pretty use the unix attributes are set up correctly. > > Appreciate any help. > > > Thanks > > > >
Thanks to various people for the feedback. I had created a test domain group "IT" with a gidNumber. Under active directory users and groups, the test users had IT as the primary group. Under the regular windows settings , the primary group was still "Domain Users" which did not have a gidNumber. Once I set a gidNumber , all was OK. This also worked on Samba 3.6.25 on Solaris 11. On 09/20/16 04:49, Rowland Penny via samba wrote:> See inline comments: > > On Mon, 19 Sep 2016 17:36:05 -0400 > Gaiseric Vandal via samba <samba at lists.samba.org> wrote: > >> >> I am trying to configure idmap_ad on a linux member server (fedora >> core 23, samba 4.3.11) with a Windows 2008 domain controller. The >> domain is "MYDOMAIN.COM" with a child domain of >> "CHILD1.MYDOMAIN.COM." By default those domains trust each other. >> >> >> >> The MYDOMAIN PDC has the unix identity mapping feature installed, so >> I can use "active directory users and computers" to set unix >> uidNumbers and gidNumbers (which start at 100.) I have set >> uidNumbers for some users but not others. I have not up unix >> identity mapping on the child domain. > This may be your problem, why are using 100-900 ? standard Unix users > start at 1000, BUILTIN and anything outside the domain is using > 2000-9999, so why not use IDs starting at 10000 ??? > > Have you also given Domain Users a gidNumber ?? > >> >> >> The partial smb.conf is >> >> >> security = ads >> >> >> workgroup = MYDOMAIN >> netbios name = LINUX1 >> >> realm = MYDOMAIN.COM >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> >> idmap config MYDOMAIN:backend = ad >> idmap config MYDOMAIN:schema_mode = rfc2307 >> idmap config MYDOMAIN:range = 100-900 >> >> winbind nss info = rfc2307 >> winbind enum users = yes >> winbind enum groups = yes >> >> >> >> >> >> I did need to fix a symlink since samba was looking for some >> libraries in the wrong place >> >> >> #ln -s /usr/lib64/ldb /usr/lib64/samba/ldb >> >> >> >> I was able to join the domain >> >> #net ads join -U administrator -S pdc.mydomain.com >> >> >> I set /etc/krb5.conf to point to the domain controllers as the >> kerberos server (although I don't think this is necessary at this >> stage.) > You needed this set up before you joined the domain and it should point > to the realm. > >> the "wbinfo -u" and "wbinfo -g" show users from the domain. >> >> >> I updated /etc/nsswitch.conf to include winbind >> >> >> passwd: files sss winbind >> shadow: files sss winbind > I would suggest removing 'sss' if you are not using it, also remove > 'winbind' from the shadow line and putting it on the group line. > >> >> (sssd daemon is not enabled.) >> >> >> The "getent passwd" command does NOT show users from MYDOMAIN. The >> weird thing is that it does show users from the child domain. > Well, it would, they are getting mapped because they are not in your > domain. > >> >> >> CHILD1\administrator:*:2000:2004:Administrator:/home/CHILD1/administrator:/bin/false >> CHILD1\guest:*:2001:2005:Guest:/home/CHILD1/guest:/bin/false >> CHILD1\krbtgt:*:2002:2004:krbtgt:/home/CHILD1/krbtgt:/bin/false >> CHILD1\bobsmith:*:2003:2004:Bob Smith:/home/CHILD1/bobsmith:/bin/false >> CHILD1\mydomain$:*:2004:2004:MYDOMAIN$:/home/CHILD1/ssci_:/bin/false >> >> >> I tried the following settings with no luck >> >> winbind nss info = templater > I take it that is a typo and should have been 'template' and all that > does (if using the 'ad' backend) is just use uidNumber & gidNumber > attributes. > >> idmap config MYDOMAIN:schema_mode = sfu > If using 'ad' backend, just stick to 'schema_mode = rfc2307' > >> winbind use default domain = yes > This just removes the domain name from user & groupnames. > >> >> The "testparm -v | grep domain" gives the following >> >> >> >> allow trusted domains = Yes >> map untrusted to domain = No >> domain logons = No >> domain master = Auto >> winbind use default domain = No >> winbind trusted domains only = No >> winbind max domain connections = 1 >> >> >> >> FYI I do have another linux machine , not running samba, that is >> configured to use LDAP/Kerberos authentication against the same >> domain controller so I am pretty use the unix attributes are set up >> correctly. >> >> Appreciate any help. > It might well do, but winbind works differently, see here for more info: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > Rowland > >