[Samba] winbind bug?

Rowland Penny rowlandpenny at googlemail.com
Thu Mar 27 15:45:26 MDT 2014

On 27/03/14 21:28, Doug Tucker wrote:
>> Do you have access to the Windows server ? if you do, give all your 
>> users and groups the required RFC2307 attributes. You can do this 
>> using ADUC provided that it is showing the UNIX Attributes tab for 
>> users & groups. You can then pull these attributes with winbind, 
>> nlscd or sssd on the linux machine, your problem will then go away.
> I'm a unix admin through and through, I know very little of AD.  I 
> have access to change passwords...which I do from the command line, 
> haha.  I asked our windows admin and he said there is some other thing 
> with windows 2003 server you have to install to get that tab??

Good, he knows about it then. As for being a Unix admin, I would suggest 
that you start learning about AD, now that Samba 4 can act as an ADDC, 
that is going to be the way forward.

>> If you don't have access to the windows server, get your windows 
>> admin to do it for you. \
> He's balking.  He says I need to fix my unix id over 11000 issue. 
> Which I could probably do.  I probably have enough open now from 
> deleting old accounts that I could script a mass uid change to 
> something smaller to make this problem go away.  I was just hoping 
> someone might have an idea why unix id > 11000 was an issue and a way 
> around it.

Make him do it, if not go over his head, just tell your bosses that 
samba has changed that much over years that the only way to work 
correctly is to add the RFC2307 attributes to AD. This is the standard 
way of doing things.
If all else fails, setup up a Samba 4 AD DC server and join it to the 
domain and then use samba-tool to add the RFC attributes.

>> This way of doing things is the standard windows way of doing things 
>> and has been for years, your way (as far as I can see) has never been 
>> standard, unless you can point me at just where it is published.
> I've had these running like this for 10 years or so.  Again, I just 
> used the samba wiki and a centos doc I found.  I wrote my own "how-to" 
> that I have and used as the starting point for most of this server as 
> well.  I can't say I've ever seen any how-to that claimed there was a 
> "standard", just steps to follow which I did. It wasn't until just now 
> with this 3.6.9 version that I ever ran into any issue and it still is 
> a very isolated issue.

Exactly, 10 years ago, your way may have been the only, but it was 
really wrong even then, it is definitely wrong now.

>> The only other thing to say is, you should never try something new on 
>> a server running in production, you should do it on a test network, 
>> even if it means using VM's.
>> Rowland
> I agree.  I had this in testing for 2 months before promoting to 
> production over the weekend.  My test userbase was up to 100 users 
> without a single issue.  Of course, not one of those had a unix id 
> over 11000 :(.  So far only 5 users have been affected, the other 
> couple of hundred are working away unaware that there is anything 
> going on.  I will probably change dns back on Friday and let the users 
> roll back to the 3.033 machine so I have more freedom to make more 
> drastic changes...not that I know what that is at this point. Thanks 
> for your time Rowland, and I apologize you got frustrated.
  I am not frustrated, I identified the problem but you did not want to 
hear the answer.

You know what you need to do, now go and do it.


More information about the samba mailing list