[Samba] Failed to find domain Unix Group

Data Control Systems - Mike Elkevizth mike at datacontrolsystems.com
Tue Jul 12 21:26:46 UTC 2016 

I had the same (or similar) issue on my DCs with the gid being 100 and the
uids being in the 3000000 range.   I'm not sure if you've already set these
in your smb.conf, but the relevant section in mine is:

idmap_ldb:use rfc2307 = yes
template shell = /bin/bash   #only needed so AD users can log into the DC
locally
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes

I also have to use the command 'net cache flush' on a semi-regular basis (I
run it via a cron job), or it seems that the DCs will eventually revert
back to the incorrect mappings.  I'm guessing that what happens is that
winbind checks for the rfc2307 value and for some reason it doesn't get a
response and then it adds an entry into the idmap.ldb file.  Winbind then
seems to prefer the idmap.ldb entry over the rfc2307 values.  I'm not sure
about all the details, but it works for me.

Mike E.


On Tue, Jul 12, 2016 at 4:58 PM, Rowland penny <rpenny at samba.org> wrote:

> On 12/07/16 21:46, Carlos A. P. Cunha wrote:
>
>>
>> Note: This working because I had to change all the permissions and the
>> files were left with various "waste" of old permissions.
>>
>>
>> Thanks
>>
>>
>> Em 12-07-2016 17:44, Carlos A. P. Cunha escreveu:
>>
>>>
>>> Hello!
>>> Sorry for the confusion this where SERVER is SERVERAD(right)
>>> At the time this all to work, but still followed the message! Errors in
>>> logs.
>>> And I'm afraid to change again.
>>>
>>> : - |
>>>
>>>
>>> Em 12-07-2016 17:40, Rowland penny escreveu:
>>>
>>>> OK, you posted your smb.conf from your fileserver, it contained these
>>>> lines:
>>>>
>>>> workgroup = SERVER
>>>>
>>>> and
>>>>
>>>> idmap config SERVERAD: backend = rid
>>>> # I changed values ​​for test
>>>> idmap config SERVERAD: range = 1000000000 to 9999999999
>>>>
>>>> I understand you changed the workgroup to post your smb.conf, but are
>>>> the actual names for 'SERVER' and 'SERVERAD' the same in your smb.conf,
>>>> because they should be.
>>>>
>>>> This doesn't explain why you are getting private groups, could you
>>>> check your AD to see if the groups exist.
>>>>
>>>
>>>
>>
> I don't understand how your users/groups changed their IDs, on the DC RIDs
> are mapped and stored in idmap.ldb, you are also using the winbind 'rid'
> backend and again, the user/group IDs are mapped from the RID by the
> algorithm:
>
>  ID = RID - BASE_RID + LOW_RANGE_ID
>
> The BASE_RID is '0' so this becomes:
>
> ID = RID + LOW_RANGE_ID
>
> So unless you changed the range in smb.conf, your user/group IDs shouldn't
> change.
>
> I still don't understand where your private groups are coming from,
> unless, are you running sssd or nlscd as well as winbindd ??
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list