We set up some Ubuntu 16.04 LTS workstations with Active Directory integration. It's works with Evolution with EWS support and passes on the credentials which is super nice. But not all of our Active Directory users could log in.
If I ran
wbinfo -i I would get all the users in AD.
If I ran
getent passwd I would get a subset of my AD users, specifically older accounts.
What I finally found was this: Most tutorials tell you to put the following lines in /etc/samba/smb.conf
idmap uid = 10000-20000 |
idmap gid = 10000-20000 |
What those lines do is translate your Active Directory SID to a unix UID (and GID.) It does this by taking the last section of your SID and adding 10000 to get your new UID. So, for example, if my SID ends in -0900 my UID would be 10900. (900+10000=10900.)
The problem is that we've had the same domain for many, many years so our SID are getting up there. A recent user had an SID ending in -29111. So his UID became 39111 which was past the range set up above. Anyone above that range isn't given a UID and therefor can't be logged in.
To fix this I changed the lines in /etc/samba.conf to
idmap uid = 10000-100000 |
idmap gid = 10000-100000
|
After doing so and restarting the client for good measure all my Active Directory accounts appeared when I ran
getent passwd.