Name resolution on domain member samba-4.7.5 on Debian GNU/Linux 9 (stretch) fails with: francesco@pod:~$ wbinfo -i malvezzi failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user malvezzi but: francesco@pod:~$ wbinfo -n malvezzi S-1-5-21-1685816022-1009459589-2082273856-8044 SID_USER (1) francesco@pod:~$ wbinfo -S S-1-5-21-1685816022-1009459589-2082273856-8044 41312 41312 is the correct user's uidnumber. ldapsearch -N -Y GSSAPI -b dc=ad,dc=example,dc=org -H ldap://ateneo.ad.unimore.it 'cn=malvezzi' uidnumber givenName sn unixHomeDirectory loginShell SASL/GSSAPI authentication started SASL username: francesco@AD.EXAMPLE.ORG SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=ad,dc=example,dc=org> with scope subtree # filter: cn=malvezzi # requesting: uidnumber givenName sn unixHomeDirectory loginShell # # malvezzi, people, ad.unimore.it dn: CN=malvezzi,OU=people,DC=ad,DC=example,DC=org sn: MALVEZZI givenName: Francesco uidNumber: 41312 unixHomeDirectory: /home/malvezzi loginShell: /bin/bash smb.conf is: [global] security = ADS workgroup = examplead realm = AD.EXAMPLE.ORG preferred master = no domain master = no dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config * : range = 3000-4999 idmap config examplead:backend = ad idmap config examplead:schema_mode = rfc2307 idmap config examplead:range = 5000-999999 idmap config examplead:unix_nss_info = yes # this is the default idmap config examplead:unix_primary_group = no username map = /etc/samba/user.map winbind refresh tickets = yes winbind nss info = rfc2307 winbind use default domain = yes winbind enum users = no winbind enum groups = no log file = /var/log/samba/log.%m max log size = 1000 log level = 10 panic action = /usr/share/samba/panic-action %d server role = member server load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [share] comment = Share path = /srv/share browseable = no read only = no The ADDC is samba-4.8.0rc4 where I have the expected behaviour: francesco@ateneo:~$ wbinfo -i malvezzi ATENEOAD\malvezzi:*:41312:100::/home/malvezzi:/bin/bash francesco@ateneo:~$ wbinfo -n malvezzi S-1-5-21-1685816022-1009459589-2082273856-8044 SID_USER (1) francesco@ateneo:~$ wbinfo -S S-1-5-21-1685816022-1009459589-2082273856-8044 41312
this is not a bug but you ran into the pitfall of not good idmap default values for root and users, see bug #9837
Just as a confirm. The working setup [1] is: # Default idmap config for local BUILTIN accounts and groups ## idmap config * : backend = tdb idmap config * : range = 1000000-3000000 # idmap config for the EXAMPLEAD domain idmap config examplead:backend = nss idmap config examplead:range = 1-999999 and (critical): add gidNumber to 'Domain users'. regards, Francesco [1] if you prefer to setup nsswitch with sssd, which is just one of the choices.