samba 4.3.4: winbindd is mapping a user uid to an incorrected value

Rowland Penny repenny241155 at gmail.com
Thu Jan 14 14:27:26 UTC 2016 

See inline comments:

On 14/01/16 13:57, Daniele Dario wrote:
> All users have a uidNumber in AD (I can see it with ldbedit/search) so I
> hope to not have orphans later.
>
>
> First off, thanks again. It seems I'm your nemesis :-(
>
> I know I need to setup a domain member as a fileserver. Just as a side
> question, would it be possible to make a DC become a domain member?

Not in the context of an AD domain member, you could however, stop a DC 
and then reconfigure (as per the wiki) it as a domain member. I wouldn't 
do this though, it would be easier to set up another domain member.

>
> Getting back to my problem:
>
> ldbsearch -H /usr/local/samba/private/sam.ldb '(uidNumber=3000033)'
> # Referral
> ref: ldap://saitel.loc/CN=Configuration,DC=saitel,DC=loc
>
> # Referral
> ref: ldap://saitel.loc/DC=DomainDnsZones,DC=saitel,DC=loc
>
> # Referral
> ref: ldap://saitel.loc/DC=ForestDnsZones,DC=saitel,DC=loc
>
> # returned 3 records
> # 0 entries
> # 3 referrals
>
> So it seems the uidNumber is present but I can't find which records

Ah no, that says it cannot find the uidNumber 3000033

> contain it.
>
> This is the smb.conf of kdc01
>
> # Global parameters
> [global]
>          workgroup = SAITEL
>          realm = saitel.loc
>          netbios name = KDC01
>          server role = active directory domain controller
>          dns forwarder = 8.8.8.8
>          idmap_ldb:use rfc2307 = yes
>          template shell = /bin/bash
>          log file = /var/log/log.samba
>          log level = 3
> #       server services = -winbindd +winbind
>
>          load printers = no
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
>          read only = no
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = no
>
> And this is the one of kdc03
>
> # Global parameters
> [global]
>          workgroup = SAITEL
>          realm = saitel.loc
>          netbios name = KDC03
>          server role = active directory domain controller
>          dns forwarder = 8.8.8.8
>          idmap_ldb:use rfc2307 = yes
>          template shell = /bin/bash
>          log file = /var/log/log.samba
>          log level = 2
> #       server services = -winbindd +winbind
>
>          printing = cups
>          printcap name = /var/run/cups/printcap
>          load printers = yes
>
>          rpc_server:spoolss = external
>          rpc_daemon:spoolssd = fork
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
>          read only = no
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = no
>
>
>

Have you given your users an attribute called 'uidNumber', this 
attribute is *not* created automatically.

i.e. does:

ldbsearch -H /usr/local/samba/private/sam.ldb '(uidNumber=*)' uidNumber 
| grep 'uidNumber'

return anything ?

Does:

ldbsearch -H /usr/local/samba/private/sam.ldb 
'(&(objectClass=group)(cn=Domain Users))' gidNumber | grep 'gidNumber'

return anything and if so what ?

what does:

  ldbsearch -H /usr/local/samba/private/sam.ldb 
'(&(objectClass=user)(samaccountname=marco))' uidNumber | grep uidNumber 
| awk '{print $NF}'

return ? and is it '3000033' or '4001107' ?

Rowland

More information about the samba-technical mailing list