[Samba] Strange GID and UID with winbindd + Samba AD DC

Rowland Penny rowlandpenny at googlemail.com
Fri Mar 14 04:45:26 MDT 2014

On 14/03/14 10:23, Harry Jede wrote:
> On 10:43:12 wrote Chan Min Wai:
>> Dear Rowland and Steve,
>> Thank you for the help.
>> So confirm that there is nothing wrong with my configuration.
> no
>> But a Bugs in winbind. :)
> No, i do not think so.
OH, yes there is, I use sssd instead of winbind and do not have this 
problem i.e. 'getent group' lists all domain groups as well as the local 
ones. When I did try to get winbind to work, I got the same result as 
the OP, 'getent passwd' displayed all users, whilst 'getent group' only 
displayed local groups, I had to use 'getent group <a domain group>' to 
get the group to show.

>> Yea :)
>> Thank again.
> Group mapping is one of the complex things in samba.
> Your configuration may or may not work. It depends on your needs.
> i.e. you try to configure a member server. Fine.
> your setup:
> sqlservermssqlserveradhelperuser$win2k8srv01:x:4294967295:
> allowed rodc password replication group:x:4294967295:
> enterprise read-only domain controllers:x:4294967295:
> sqlserver2005sqlbrowseruser$win2k8srv01:x:4294967295:
> denied rodc password replication group:x:4294967295:krbtgt
> read-only domain controllers:x:4294967295:
> group policy creator owners:x:4294967295:administrator
> and so on...
> All these groups has the same gidnumber. So for an posix filesystem all
> are the same, but with different names and different members. The winner
> is ??
> One may ask an oracle?
> You have asked:
> There are some strange value UID/GID
> 4294967295 <-- what number is this?
> Short answer:
> (4294967295+1)/1024/1024/1024=4
> 4 billion is the highest integer your OS supports.
> This number (minus 1) comes from the idmapping stuff.
> All your BUILTIN groups have the same gidnumber. So fix your config as
> Rowland posted before.

He has, that is when he found out that 'getent group' doesn't work. Also 
this must surely be another bug, if a range is not given for the builtin 
users & groups, winbind shouldn't just return 4294967295 for everything.


> Think about "each group mmust have a unique gidnumber, on all servers in
> your domain and if you use multiple domains all BUILTIN groups may have
> a uniq gidnumber which should be the same for all domains"

More information about the samba mailing list