Hi, We have an AD Forest in the following hierarchy made of parent and child domain controllers. Recently we joined an Ubuntu 16.04 server as a domain member to a Windows 2012 child domain controller. Integration was completed successfully. The domain user we used for joining to DC is a member of our own created "domain admins" group which has rights to join a domain member to our DC. This user is not a part of default "Domain Admins" group. Later when we are trying to fetch the AD users using "wbinfo -u" and "getent passwd" commands, observed that some of the AD users present in some of the OU's of child domain controller were not retrieved. Below is the smb.conf file we used to integrate with the Windows DC. #======================= Global Settings ====================== [global] # No .tld workgroup = SAMDOM # Active Directory System security = ADS # With .tld realm = SAMDOM.LOCAL wins server = SAMDOM.LOCAL # Just a member server domain master = no local master = no preferred master = no # Works both in samba 3.2 and 3.6. idmap backend = tdb idmap config *:range = 3000-29999 # no .tld idmap config SAMDOM:backend = rid idmap config SAMDOM:range = 30000-99999 winbind enum users = yes winbind enum groups = yes # This way users log in with username instead of username at example.org # Inherit groups in groups winbind nested groups = yes winbind refresh tickets = yes winbind offline logon = true # Becomes /home/example/username template homedir = /home/%U # No shell access template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2 log file = /var/log/samba/samba.log log level = 3 max log size = 204800 map untrusted to domain = Yes passdb backend = tdbsam # username map = /usr/local/samba/etc/user.map # ncalrpc dir = /var/run/samba/ncalrpc vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # winbind use default domain = yes client ipc max protocol = NT1 Can anyone please help us with this issue Thanks & Regards, Srikar. -- Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
Rowland Penny
2018-May-08 16:09 UTC
[Samba] wbinfo_And_getent_Not_Showing_Complete_AD_Users
On Tue, 8 May 2018 08:31:28 -0700 (MST) srikar82 via samba <samba at lists.samba.org> wrote:> Hi, > We have an AD Forest in the following hierarchy made of parent > and child domain controllers. Recently we joined an Ubuntu 16.04 > server as a domain member to a Windows 2012 child domain controller. > Integration was completed successfully. The domain user we used for > joining to DC is a member of our own created "domain admins" group > which has rights to join a domain member to our DC. This user is not > a part of default "Domain Admins" group. Later when we are trying to > fetch the AD users using "wbinfo -u" and "getent passwd" commands, > observed that some of the AD users present in some of the OU's of > child domain controller were not retrieved. Below is the smb.conf file > we used to integrate with the Windows DC. > >Hmm, so you have a group in AD called 'Domain Admins' and another called 'domain admins', don't think this a good idea, for proof (note this is on a DC, but the same would occur on a Unix domain member): root at dc4:~# getent group Domain\ Admins SAMDOM\domain admins:x:3000011: Oh look, Unix sees 'Domain Admins' as 'domain admins' Perhaps using 'Unix Admins' instead might be a better idea. Rowland