Re: [Samba] Domain member server: user access

On Mon, 25 Sep 2017 17:10:57 +0200
"Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> Am 2017-09-25 um 17:04 schrieb Rowland Penny via samba:
> > How many times do I have to say this, 'wbinfo' connects directly to
> > AD. To show that your users & groups are known to Unix, you MUST use
> > 'getent'
> I am sorry.
> So you want me to do:

This is strange.

> DC # getent group "domain users"
> ARBEITSGRUPPE\domain users:x:100:

If I turn off winbind in /etc/nsswitch and run 'getent group "Domain
Users"' I get nothing returned, even though there is this in idmap.ldb

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513
cn: S-1-5-21-1768301897-3342589593-1064908849-513
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-513
xidNumber: 100
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513

> DM # getent group "domain users"
> domain users:x:10513

Whereas with winbind in /etc/nsswitch.conf on both machines, I get the
same result.

I always set up libnss-winbind on DCs and use the 'ad' backend on Unix
domain members. So, I cannot remember if this is how a DC works if
you don't setup PAM and libnss_winbind on a DC, but I don't think it


