> On 12/02/2023 16:40, Vaughan, Robert J via samba wrote:
> Hi all
>
> In the idmap_config_ad wiki, it states ..
>
> If you use the winbind 'ad' backend, you must add a gidNumber
attribute to the Domain Users group in AD.
>
> Can someone explain this?
>
>> Yes
>>
>> Every users primaryGroupID attribute is set to 513, the RID for Domain
>> Users. Unless Domain Users has a gidNumber attribute, then no users are
>> shown by getent passwd & id via winbind.
>>
>> Rowland
>>
>>> Ok, so I went and added a gidNumber to 'Domain Users'
>>>
>>> and 'id' does show that number next to 'domain
users' as one of my groups
>>>
>>> But 'getent passwd' still only returns local users, no AD
users
>>>
>>> 'wbinfo -u' does return the list of AD users (but not unix
local users)
>>>
>>>
>>>>OK, I think you need to post your smb.conf
>>>>
>>>>Rowland
[global]
kerberos method = secrets and keytab
template homedir = /home/%U@%D
workgroup = X
template shell = /bin/bash
security = ads
realm = X.Y.COM
idmap config X : range = 225-999999
idmap config X : backend = ad
idmap config X : schema_mode = rfc2307
idmap config X : unix_primary_group = yes
idmap config X : unix_nss_info = yes
idmap config * : range = 1000000-1999999
idmap config * : backend = tdb
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
log level = 1
#log file = /var/samba/log/log.%m
log file = /var/log/samba/log.%m
max log size = 5000
load printers = No
printcap name = /dev/null
printing = bsd
preferred master = No
local master = No
domain master = No
server signing = mandatory
acl allow execute always = True
include system krb5 conf = no
I should mention, I can ssh into the server using my AD creds and the one test
share I setup also maps fine, so it all seems to be working, was just curious
why 'getent passwd' does not show AD accounts
----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended
recipient only and may contain confidential and privileged information. No one
else may read, print, store, copy, forward or act in reliance on it or its
attachments. If you are not the intended recipient, please return this message
to the sender and delete the message and any attachments from your computer.
Your cooperation is appreciated.