[Samba] winbind bug?

Thu Mar 27 15:28:35 MDT 2014

>>
> Do you have access to the Windows server ? if you do, give all your 
> users and groups the required RFC2307 attributes. You can do this 
> using ADUC provided that it is showing the UNIX Attributes tab for 
> users & groups. You can then pull these attributes with winbind, nlscd 
> or sssd on the linux machine, your problem will then go away.

I'm a unix admin through and through, I know very little of AD.  I have 
access to change passwords...which I do from the command line, haha.  I 
asked our windows admin and he said there is some other thing with 
windows 2003 server you have to install to get that tab??
>
> If you don't have access to the windows server, get your windows admin 
> to do it for you. \
He's balking.  He says I need to fix my unix id over 11000 issue. Which 
I could probably do.  I probably have enough open now from deleting old 
accounts that I could script a mass uid change to something smaller to 
make this problem go away.  I was just hoping someone might have an idea 
why unix id > 11000 was an issue and a way around it.
>
> This way of doing things is the standard windows way of doing things 
> and has been for years, your way (as far as I can see) has never been 
> standard, unless you can point me at just where it is published.
I've had these running like this for 10 years or so.  Again, I just used 
the samba wiki and a centos doc I found.  I wrote my own "how-to" that I 
have and used as the starting point for most of this server as well.  I 
can't say I've ever seen any how-to that claimed there was a "standard", 
just steps to follow which I did.  It wasn't until just now with this 
3.6.9 version that I ever ran into any issue and it still is a very 
isolated issue.
>
> The only other thing to say is, you should never try something new on 
> a server running in production, you should do it on a test network, 
> even if it means using VM's.
>
> Rowland
I agree.  I had this in testing for 2 months before promoting to 
production over the weekend.  My test userbase was up to 100 users 
without a single issue.  Of course, not one of those had a unix id over 
11000 :(.  So far only 5 users have been affected, the other couple of 
hundred are working away unaware that there is anything going on.  I 
will probably change dns back on Friday and let the users roll back to 
the 3.033 machine so I have more freedom to make more drastic 
changes...not that I know what that is at this point. Thanks for your 
time Rowland, and I apologize you got frustrated.