[Samba] winbind: how to fix uid/SID mapping following migration to a new DC

Jonathan Buzzard jonathan at buzzard.me.uk
Thu Dec 8 09:46:44 MST 2011

Jean-Yves Avenard wrote:
> Hi
> On 7 December 2011 22:06, Jean-Yves Avenard <jyavenard at gmail.com> wrote:
>> Is there a way to make so the uid/SID are matched in such a way that a
>> username keeps the same uid as before.
>> For example, editing on the domain controller the ldap entries that
>> contain the uid/SID map or something like that (just thinking out loud
>> here)
> Amending this troubleshooting.
> Unix extension has been added to the active directory, and the
> uidNumber for each user have been added in order to match the previous
> uid as discovered by winbind.
> smb.conf was amended as follow:
>         winbind use default domain = Yes
>         winbind enum users = No
>         winbind enum groups = No
>         winbind nested groups = Yes
>         winbind refresh tickets = Yes
>         winbind offline logon = Yes
> 	winbind nss info = rfc2307
>         allow trusted domains = No
>         idmap uid = 1000-1999999
>         idmap gid = 1000-1999999
>         idmap backend = ad
>         idmap config ALLORATECH : backend = ad
>         idmap config ALLORATECH : range = 1000-999999
>         idmap config ALLORATECH : schema_mode = rfc2307
> Looking at the winbind_ad module, it seems to me that should the nss
> info and schema mode be set to rfc2307 ; it should use the uidNumber
> entry for determining the uid of the user.
> However, winbind still assign the RID + 10000 for the user's uid...
> Is there a way to tell winbind precisely which uid to use ? what am I missing?

Your two ranges are overlapping and it just don't work if you do that. I 
have no idea why and it is not well documented why it does not work. 
Also you have to the plain "idmap backend" config line setup as a tdb 
backend. Something like this what you need.

    idmap backend = tdb
    idmap uid = 2000000-2999999
    idmap gid = 2000000-2999999
    idmap config ALLORATECH : backend = ad
    idmap config ALLORATECH : schema_mode = rfc2307
    idmap config ALLORATECH : readonly = yes
    idmap config ALLORATECH : range = 1000-1999999

Seems to come up fairly regularly this one and I can tell you it took me 
ages to work out a working configuration. This has been really stable 
for me however other than some random winbind deaths which I papered 
over with monit. Though a more recent 3.5.x version of Samba might fix 
that as there seems to have been a lot of bug fixes for it.

Note this is for 3.5.x and it has all been changed again in 3.6.x so god 
only knows how you configure it for that.


Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list