[Samba] winbind bug?

Jonathan Buzzard jonathan at buzzard.me.uk
Thu Mar 27 16:31:09 MDT 2014

On 27/03/14 21:54, Doug Tucker wrote:
> On 03/27/2014 04:01 PM, Jonathan Buzzard wrote:
>> On 27/03/14 18:50, Doug Tucker wrote:
>> [SNIP]
>>> Rowland, that ignores the fact that all of my users other than this
>>> select group (5% maybe) on a certain client are working and working just
>>> fine.  Those same failing users work on windows XP and linux cifs.  And
>>> to shares even on win7 where the access is controlled via unix gid.
>> No it does not. You need to accept that either through corrupt DB's or
>> some other issue your setup is *BROKEN*. That it is working under XP
>> and Linux is simply a random fluke. There are plenty of things that
>> you can do with a XP SMB client against a Samba server that don't work
>> with a Windows 7 client. So bitching that it works in some cases is
>> meaningless.
>> JAB.
> I won't bore a help list with replying to this type of ridiculous
> rhetoric and you look like an idiot for doing so.


> I will be happy to go
> straight to the source though since you can't read apparently.. windows
> 7 works fine for 95% of the users here.  It's not just XP and Linux.
> Still a random fluke?  To ignore the fact that it is isolated to only
> unix uid's > 11000 well...ignores that fact.  And, I can change all of
> those users to new id's under 11000 and then my setup works for *all*
> users on my network.

I understand what you are say, the point is that you are dead wrong.

That your setup works for user ID's under 11000 is either a fluke or 
down to corrupted Samba databases. I am sorry that you don't want to 
hear that, but it is the heart of the matter. Several experienced Samba 
admins have now told you that and you refuse to listen.

There is a range of things in Samba that work on XP and break Windows 7. 
Generally they officially never been supported but just happened to 
work, and a combination of more robust SMB client in Windows 7 and/or 
more accurate SMB adherence in later Samba breaks it. Get over it.

> Dev/production.  This was the dev box.  It was in testing for 2 months
> or so without a single issue.  I just never hit the >11000 mark in
> testing unfortunately.  After testing it was promoted to production.  I
> will change dns back to the old 3.033 samba server this weekend so I can
> take this one back out.  Then I can take down, wipe the *corrupt* DB's
> and we will still be right back where we started.  A config I assume you
> consider ok now, and unix users with id's >11000 not working.

Oh dear, oh dear. A dev box *NEVER* *EVER* gets promoted to production. 
What you had was a production box that was in setup phase. You need a 
real dev box, that is one that you can fiddle with endlessly without 
effecting users to diagnose and fix problems. You then take the working 
configuration and apply it to the production box.

> So do you actually have anything useful to suggest or you just trolling
> for a reason to vent?
> Seriously big shot who I don't work for and never would, if you have
> some idea how/why that is an issue I'm all ears.  Seriously.

There are several issues. Firstly as Rowland has identified you are 
working with a whacked out Samba configuration. It works in various 
configurations most likely out of shear luck. You need to get to 
something that in 2014 is considered sane and supported. This means you 
need to get those RFC2307 attributes into AD and use them directly.

Second it is highly likely that all the messing about has left bad data 
in Samba's databases. I can attest personally to this, four years ago 
when I was working through this stuff when the documentation was did not 
mention the need for ID ranges that do not overlap I went through a 
working config that appeared not to work for this very reason and then 
wasted several weeks. How do I know, well on my dev platform I was using 
RCS to save every configuration I tested. Only when I decided to scrub 
the Samba databases could I get it to work, and low an behold one of the 
old configurations worked as well.

Thirdly you urgently need a real development platform to test this stuff 


Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list