[Samba] Member server - winbind unable to resolve users/groups

Andrey Repin anrdaemon at yandex.ru
Sat Apr 4 17:59:06 MDT 2015

Greetings, Rowland Penny!

>>> OK, what does running this command on the DC show:
>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>> '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' | grep
>>> 'uidNumber'
>>> This relies on ldb-tools being installed and sam.ldb being in
>>> '/var/lib/samba/private' if yours is somewhere else, change the path.
>> I have the urge to say "nothing" before even checking first, as I have no
>> RID's that high. But it appears the RID's were all changed after migration.
>> ldbsearch -H /var/lib/samba/private/sam.ldb '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' uidNumber
>> # record 1
>> dn: CN=domainuser,CN=Users,DC=ads,DC=ccenter,DC=lan
>> uidNumber: 30000
>> Before migration, all users had RID=uidNumber, except one.
>> Why they have been changed?

> I have no idea why they have changed, but it is there and it is inside 
> the range set in your member server smb.conf, so getent should fetch the 
> users info.

> Have you got the winbind links in the correct place, see the member 
> server wiki page
> do you have 'winbind' in the 'passwd' & 'group' lines in /etc/nsswitch.conf

Since Winbind is actually trying to resolve the names from getent, the
requests are passed correctly to it.
I did not made any links, because I'm not compiling anything myself.
I'm using distributed version of Samba.

> Can you check that Domain Users has a 'gidNumber'

# ldbsearch -s sub -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)' objectSID gidNumber
# record 1
dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
gidNumber: 513

With best regards,
Andrey Repin
Sunday, April 5, 2015 02:50:14

Sorry for my terrible english...

More information about the samba mailing list