On 03/06/2019 15:17, Nico wrote:> Sorry, I forgot to precise : It's on a Samba AD DC (v4.10.3 and CentOS
> 7).
>
> My smb.conf :
>
> [global]
> server role = active directory domain controller
> netbios name = server_name
> realm = DOMAIN.LAN
> workgroup = DOMAIN
>
> server services = -dns
>
> idmap_ldb:use rfc2307 = yes
>
> bind interfaces only = yes
> interfaces = p3p1
>
Nothing wrong with the lines above> idmap config DOMAIN:range = 600-4000000
> idmap config DOMAIN:backend = tdb
> idmap uid = 600-4000000
> idmap gid = 600-4000000
>
> winbind gid = 600-4000000
> winbind uid = 600-4000000
Well, if you are going to get it wrong, you might as well get it
absolutely totally wrong ;-)
To put it another way, remove the lines above, they have no place in a
Samba AD DC smb.conf
> winbind enum groups = yes
> winbind enum users = yes
Remove the lines above once you are sure everything is working
correctly> winbind use default domain = yes
The line above doesn't work on a DC> winbind nested groups = yes
> winbind refresh tickets = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
The three lines above definitely shouldn't be in a Samba DC
smb.conf> log level = 3
> log file = /var/log/samba/samba_ad.log
> max log size = 50
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/ensim.univ-lemans.fr/scripts
> read only = No
>
> My nsswitch.conf :
> Signature mail
> passwd: compat winbind
> shadow: compat winbind
> group: compat winbind
Remove 'winbind' from the 'shadow' line, it can cause problems
and
doesn't actually do anything.>
> hosts: files dns wins
>
AD runs on DNS, it doesn't use wins.
Do the libnss_winbind links exist ?
does 'getent passwd username' produce output ?
Rowland