samba - May 2018 - wbinfo_And_getent_Not_Showing_Complete_AD_Users

Hi,
       We have an AD Forest in the following hierarchy made of parent
and child domain controllers.  Recently we joined an Ubuntu 16.04
server as a domain member to a Windows 2012 child domain controller.
Integration was completed successfully. The domain user we used for
joining to DC is a member of our own created "domain admins" group
which has rights to join a domain member to our DC.  This user is not
a part of default  "Domain Admins" group. Later when we are trying to
fetch the AD users using "wbinfo -u" and "getent passwd" 
commands,
observed that some of the AD users present in some of the OU's of
child domain controller were not retrieved. Below is the smb.conf file
we used to integrate with the Windows DC.


#======================= Global Settings ======================

[global]
   # No .tld
    workgroup = SAMDOM
    # Active Directory System
    security = ADS
    # With .tld
    realm = SAMDOM.LOCAL
    wins server = SAMDOM.LOCAL
    # Just a member server
    domain master = no
    local master = no
    preferred master = no
    # Works both in samba 3.2 and 3.6.
    idmap backend = tdb
    idmap config *:range = 3000-29999
    # no .tld
    idmap config SAMDOM:backend = rid
    idmap config SAMDOM:range = 30000-99999
    winbind enum users = yes
    winbind enum groups = yes
    # This way users log in with username instead of username at example.org
    # Inherit groups in groups
    winbind nested groups = yes
    winbind refresh tickets = yes
    winbind offline logon = true

    # Becomes /home/example/username
    template homedir = /home/%U

    # No shell access
    template shell = /bin/bash
    client use spnego = yes
    client ntlmv2 auth = yes
    restrict anonymous = 2
    log file = /var/log/samba/samba.log
    log level = 3
    max log size = 204800
    map untrusted to domain = Yes
    passdb backend = tdbsam
#   username map = /usr/local/samba/etc/user.map
#   ncalrpc dir = /var/run/samba/ncalrpc
    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
#   winbind use default domain = yes
    client ipc max protocol = NT1

Can anyone please help us with this issue

Thanks & Regards,
Srikar.



--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

On Tue, 8 May 2018 08:31:28 -0700 (MST)
srikar82 via samba <samba at lists.samba.org> wrote:
> Hi,
>        We have an AD Forest in the following hierarchy made of parent
> and child domain controllers.  Recently we joined an Ubuntu 16.04
> server as a domain member to a Windows 2012 child domain controller.
> Integration was completed successfully. The domain user we used for
> joining to DC is a member of our own created "domain admins"
group
> which has rights to join a domain member to our DC.  This user is not
> a part of default  "Domain Admins" group. Later when we are
trying to
> fetch the AD users using "wbinfo -u" and "getent
passwd"  commands,
> observed that some of the AD users present in some of the OU's of
> child domain controller were not retrieved. Below is the smb.conf file
> we used to integrate with the Windows DC.
> 
> 
Hmm, so you have a group in AD called 'Domain Admins' and another
called 'domain admins', don't think this a good idea, for proof
(note
this is on a DC, but the same would occur on a Unix domain member):

root at dc4:~# getent group Domain\ Admins
SAMDOM\domain admins:x:3000011:

Oh look, Unix sees 'Domain Admins' as 'domain admins'

Perhaps using 'Unix Admins' instead might be a better idea.

Rowland