On 13/02/2023 16:50, Vaughan, Robert J via samba wrote:> On 12/02/2023 16:40, Vaughan, Robert J via samba wrote: >> Hi all >> >> In the idmap_config_ad wiki, it states .. >> >> If you use the winbind 'ad' backend, you must add a gidNumber attribute to the Domain Users group in AD. >> >> Can someone explain this? >> > >>> Yes > >>> Every users primaryGroupID attribute is set to 513, the RID for Domain >>> Users. Unless Domain Users has a gidNumber attribute, then no users are >>> shown by getent passwd & id via winbind. > >>> Rowland > > Ok, so I went and added a gidNumber to 'Domain Users' > > and 'id' does show that number next to 'domain users' as one of my groups > > But 'getent passwd' still only returns local users, no AD users > > 'wbinfo -u' does return the list of AD users (but not unix local users) > > > Thanks, > > Robert Vaughan >OK, I think you need to post your smb.conf Rowland ---------------------------------------------------------------------- This is an e-mail from Rowland Penny. I do not care who reads it and it contains no confidential or privileged information. Everyone may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please do what you like with this message. Your cooperation is appreciated.
> On 12/02/2023 16:40, Vaughan, Robert J via samba wrote: > Hi all > > In the idmap_config_ad wiki, it states .. > > If you use the winbind 'ad' backend, you must add a gidNumber attribute to the Domain Users group in AD. > > Can someone explain this? >>> Yes >> >> Every users primaryGroupID attribute is set to 513, the RID for Domain >> Users. Unless Domain Users has a gidNumber attribute, then no users are >> shown by getent passwd & id via winbind. >> >> Rowland >>>>> Ok, so I went and added a gidNumber to 'Domain Users' >>> >>> and 'id' does show that number next to 'domain users' as one of my groups >>> >>> But 'getent passwd' still only returns local users, no AD users >>> >>> 'wbinfo -u' does return the list of AD users (but not unix local users) >>> >>>>>>>OK, I think you need to post your smb.conf >>>> >>>>Rowland[global] kerberos method = secrets and keytab template homedir = /home/%U@%D workgroup = X template shell = /bin/bash security = ads realm = X.Y.COM idmap config X : range = 225-999999 idmap config X : backend = ad idmap config X : schema_mode = rfc2307 idmap config X : unix_primary_group = yes idmap config X : unix_nss_info = yes idmap config * : range = 1000000-1999999 idmap config * : backend = tdb winbind use default domain = yes winbind refresh tickets = yes winbind offline logon = yes winbind enum groups = no winbind enum users = no log level = 1 #log file = /var/samba/log/log.%m log file = /var/log/samba/log.%m max log size = 5000 load printers = No printcap name = /dev/null printing = bsd preferred master = No local master = No domain master = No server signing = mandatory acl allow execute always = True include system krb5 conf = no ---------------------------------------------------------------------- This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.