samba - Oct 2016 - winbind backend ad not working

Hello,

after a classicupgrade from samb3 with openldap we want to set up a 
samba-fileserver. We would like to user the winbind ad backend. So we 
configured the smb.conf with the following settings:
-----------------

--------# Global parameters
[global]
         bind interfaces only = Yes
         interfaces = 192.168.56.102
         realm = EXAMPLE.DE
         workgroup = EXAMPLE
         registry shares = Yes
         security = ADS
         template shell = /bin/bash
         winbind enum groups = Yes
         winbind enum users = Yes
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind use default domain = Yes
         idmap config EXAMPLE : schema_mode = rfc2307
         idmap config EXAMPLE : range = 1001 - 200000
         idmap config EXAMPLE : backend = ad
         idmap config * : range = 1000000 - 1999999
         idmap config * : backend = tdb
         store dos attributes = Yes
         inherit acls = Yes
         vfs objects = acl_xattr
---------

All users in AD have a unique uidNumber and all the other 
Unix-Attributes, but no uid-Attribute. All uidNumbers are insite the 
range configured in smb.conf.
But we will not get any user listed with "getent passwd". We tried to 
switch to winbind backend rid then everything is working. All users are 
listed. Here the smb.conf
with the backend rid:
---------
[global]
         workgroup = EXAMPLE
         realm = EXAMPLE.DE
         security = ADS
         winbind use default domain = yes
         winbind enum users = yes
         winbind enum groups = yes
         winbind refresh tickets = yes
         template shell = /bin/bash
         idmap config * : range = 10000 - 19999
         idmap config EXAMPLE : backend = rid
         idmap config EXAMPLE : range = 1000000 - 1999999
         inherit acls = yes
         store dos attributes = yes
         vfs objects = acl_xattr
         interfaces = 192.168.56.102
         bind interfaces only = yes
---------
Even with log level 3 we didn't get any errormessage. Were should we 
look next, or what is wrong in our configuration.

Stefan

On Wed, 26 Oct 2016 16:02:08 +0200
Stefan Kania via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> after a classicupgrade from samb3 with openldap we want to set up a 
> samba-fileserver. We would like to user the winbind ad backend. So we 
> configured the smb.conf with the following settings:
> -----------------
> 
> --------# Global parameters
> [global]
>          bind interfaces only = Yes
>          interfaces = 192.168.56.102
>          realm = EXAMPLE.DE
>          workgroup = EXAMPLE
>          registry shares = Yes
>          security = ADS
>          template shell = /bin/bash
>          winbind enum groups = Yes
>          winbind enum users = Yes
>          winbind nss info = rfc2307
>          winbind refresh tickets = Yes
>          winbind use default domain = Yes
>          idmap config EXAMPLE : schema_mode = rfc2307
>          idmap config EXAMPLE : range = 1001 - 200000
>          idmap config EXAMPLE : backend = ad
>          idmap config * : range = 1000000 - 1999999
>          idmap config * : backend = tdb
>          store dos attributes = Yes
>          inherit acls = Yes
>          vfs objects = acl_xattr
> ---------
> 
> All users in AD have a unique uidNumber and all the other 
> Unix-Attributes, but no uid-Attribute. All uidNumbers are insite the 
> range configured in smb.conf.
> But we will not get any user listed with "getent passwd". We
tried to
> switch to winbind backend rid then everything is working. All users
> are listed. Here the smb.conf
> with the backend rid:
> ---------
> [global]
>          workgroup = EXAMPLE
>          realm = EXAMPLE.DE
>          security = ADS
>          winbind use default domain = yes
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind refresh tickets = yes
>          template shell = /bin/bash
>          idmap config * : range = 10000 - 19999
>          idmap config EXAMPLE : backend = rid
>          idmap config EXAMPLE : range = 1000000 - 1999999
>          inherit acls = yes
>          store dos attributes = yes
>          vfs objects = acl_xattr
>          interfaces = 192.168.56.102
>          bind interfaces only = yes
> ---------
> Even with log level 3 we didn't get any errormessage. Were should we 
> look next, or what is wrong in our configuration.
> 
> Stefan
> 
Have you given 'Domain users' a gidNumber attribute containing a number
inside '1001 - 200000' ??

Rowland

Hi Rowland,

not for all users, some users have a gidNumber not inside the range. I 
expected to see the users with a gidNumber insite the range. It was a 
classicupgrad from a very old samba3 so we have gidNumbers below 100 for 
some users, but we only want to have the users with a gidNumber insite 
the range. So we don't care about the users outside the range.

Stefan
> 
> Have you given 'Domain users' a gidNumber attribute containing a
number
> inside '1001 - 200000' ??
> 
> Rowland