Thanks for the suggestions. I tried them without success. Strange that wbinfo works but getent does not. On Wed, May 31, 2023 at 10:55?AM Christian Naumer < christian.naumer at greyfish.net> wrote:> It works for us with Rocky Linux 8.8 and Samba 4.17.5. DCs are Samba > 4.18.2. > > > Looking at your conf I see this: > > I do _not_ have this: > > idmap config DOMAIN:unix_primary_group = yes > > I have and you don't: > > disable netbios = yes > smb ports = 445 > server min protocol = SMB2 > client min protocol = SMB2 > > Different: > > kerberos method = secrets and keytab > > > And this is deprecated: > > winbind nss info = rfc2307 > > see here: > https://wiki.samba.org/index.php/Idmap_config_ad > > Maybe some things to try. I know another "it works for me" is not always > helpful... > > > > Regards > > Christian > > > Am Mittwoch, dem 31.05.2023 um 10:12 -0300 schrieb Dale Renton via samba: > > Is anyone using Rocky Linux or AlmaLinux or RHEL 8.8 as a Samba Domain > > Member joined to a Samba Active Directory Domain? > > > > realm list returns : > > ad.example.com > > type: kerberos > > realm-name: AD.EXAMPLE.COM > > domain-name: ad.example.com > > configured: kerberos-member > > server-software: active-directory > > client-software: winbind > > required-package: oddjob-mkhomedir > > required-package: oddjob > > required-package: samba-winbind-clients > > required-package: samba-winbind > > required-package: samba-common-tools > > login-formats: %U > > login-policy: allow-any-login > > > > /etc/nsswitch.conf > > passwd: files winbind systemd > > group: files winbind systemd > > > > Thanks, > > Dale > >
On 04/06/2023 15:11, Dale Renton via samba wrote:> Thanks for the suggestions. I tried them without success. > > Strange that wbinfo works but getent does not. > >Not really, wbinfo reads directly from AD, getent goes via nsswitch. For getent to work using the 'ad' idmap backend, a few things have to fall into place: You have to set the correct relevant lines in smb.conf. You have have to give the Domain Users group a gidNUmber, or if using 'idmap config WORKGROUP : unix_primary_group = yes', that the relevant group has a gidNumber. You give the user a uidNumber and if using 'unix_primary_group' the relevant groups gidNumber All Numbers used for the uidNumber & gidNumber attributes must be inside the range you set for the 'WORKGROUP' in smb.conf Usually when a user doesn't get a UID, one of the above isn't correct. Rowland