[Samba] Preemptive answer on idmap error
mdavidson at mountwashington.org
Thu May 17 15:45:07 GMT 2007
I recently had a problem with Winbind where new Active Directory user
accounts could not access the list of shares on a particular Samba server.
"wbinfo -u" showed that the users did exist, but they were not appearing in
"getent passwd" results. "/var/log/samba/winbind.log" showed the following
error (with Winbind error logging set to either 2 or 3):
idmap Fatal Error: UID range full!! (max: 20000)
>From the error, you can see that I have the idmap limit set to 20000 in
smb.conf. I was nowhere near that limit and couldn't figure out why another
server with an identical Samba version and an identical smb.conf worked fine
for the users in question.
I searched this mailing list and the Internet, but came up empty handed for
several days. I eventually found relatively simple instructions that proved
Shut down Samba and Winbind (service winbind stop, service smb stop)
Rename these files (and delete them after confirming the solution):
I suspect it was the latter two that did the trick, as the smbpasswd file
isn't used in an AD integrated environment.
The directions said to rejoin the domain (for me "net ads join -U
administrator"), but I don't know if this was really necessary.
Restart Samba and Winbind (service smb start, service winbind start).
I was delighted to find my missing users appear when I typed "getent passwd
| grep -i missing_user".
You should perform the additional step of verifying ownership to avoid a
call back by the user: "chown -R Domain+user /home_path/user" where + is
your Winbind separator.
I don't know what caused the initial problem (apparently the corruption of
one of the tdb files), but it might have been a loss of network connectivity
to the DC. Hopefully, Winbind can recover from such problems on its own
either in a newer version than I'm running or in a future release.
Mount Washington Observatory
More information about the samba