[Samba] Samba 4.0.9 winbind isn't passing through uid and gid numbers from Win 2003 R2

Jason Michaelson jasondmichaelson at gmail.com
Tue Aug 20 15:31:21 MDT 2013

List, I've seen this problem in the list archives before, but the only
problems I can easily find are using Samba 4 as the DC. In my case, I'm
trying to add a Debian Wheezy member server (running the 4.0.9 packages
from enterprise samba) into an existing AD domain where the DC's are
running Windows Server 2003 R2. Every GID and UID coming back out of getent
passwd is coming out as 4294967295:


 I know the uid's and gid's are set up properly in Windows as the following:

net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory
sAMAccountName uidNumber gidNumber -P

shows for instance:

sAMAccountName: user
uidNumber: 10004
gidNumber: 10004

I can see in the winbindlog the gid at least coming back as the wrong

                          userinfos: struct wbint_userinfo
                              acct_name                : *
                                  acct_name                : 'user'
                              full_name                : *
                                  full_name                : 'User'
                              homedir                  : *
                                  homedir                  : '/home/%D/%U'
                              shell                    : *
                                  shell                    : '/bin/bash'
                              primary_gid              : 0x00000000ffffffff
                              user_sid                 :
                              group_sid                :

The global portion of my smb.conf file is below. Looking through the log
files, winbindd is built from sources3, while I know the source is showing
the uidNumber and gidNumber in sources4.

I'm a software engineer, so I've got no problems getting down into the code
and gdb, but if this is a simple misconfiguration on my part that'd be so
much better :)

server role = member server
   winbind enum users  = yes
   winbind enum groups = yes
log level =14
client NTLMv2 auth = yes
map acl inherit = yes
follow symlinks = yes
   workgroup = DOMAIN
   server string = %h server
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
security        =       ads
realm           =               domain.org
encrypt passwords       =       yes
idmap cache time = 1800
idmap config FOUR-HORSEMEN:backend = ad
idmap config FOUR-HORSEMEN:schema_mode = rfc2307
idmap config FOUR-HORSEMEN:default = yes
idmap config FOUR-HORSEMEN:range = 10000-20000
idmap config FOUR-HORSEMEN:cache time = 1800
idmap_ldb:user_rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%D/%U
winbind use default domain = yes
winbind offline logon = false
winbind normalize names = yes
winbind refresh tickets = yes
winbind normalize names = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = Yes
winbind cache time = 180
winbind trusted domains only = no
winbind separator = +
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\s
successfully* .
   pam password change = yes

More information about the samba mailing list