[Samba] Member server - winbind unable to resolve users/groups

Rowland Penny rowlandpenny at googlemail.com
Sun Apr 5 03:57:22 MDT 2015

On 05/04/15 00:59, Andrey Repin wrote:
> Greetings, Rowland Penny!
>>>> OK, what does running this command on the DC show:
>>>> ldbsearch -H /var/lib/samba/private/sam.ldb
>>>> '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' | grep
>>>> 'uidNumber'
>>>> This relies on ldb-tools being installed and sam.ldb being in
>>>> '/var/lib/samba/private' if yours is somewhere else, change the path.
>>> I have the urge to say "nothing" before even checking first, as I have no
>>> RID's that high. But it appears the RID's were all changed after migration.
>>> ldbsearch -H /var/lib/samba/private/sam.ldb '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' uidNumber
>>> # record 1
>>> dn: CN=domainuser,CN=Users,DC=ads,DC=ccenter,DC=lan
>>> uidNumber: 30000
>>> Before migration, all users had RID=uidNumber, except one.
>>> Why they have been changed?
>> I have no idea why they have changed, but it is there and it is inside
>> the range set in your member server smb.conf, so getent should fetch the
>> users info.
>> Have you got the winbind links in the correct place, see the member
>> server wiki page
>> do you have 'winbind' in the 'passwd' & 'group' lines in /etc/nsswitch.conf
> Since Winbind is actually trying to resolve the names from getent, the
> requests are passed correctly to it.
> I did not made any links, because I'm not compiling anything myself.
> I'm using distributed version of Samba.
>> Can you check that Domain Users has a 'gidNumber'
> # ldbsearch -s sub -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)' objectSID gidNumber
> # record 1
> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
> gidNumber: 513

I think that could very well be your problem, you have these lines in 
the smb.conf on your member server:

         idmap config CCENTER : backend = ad
         idmap config CCENTER : schema_mode = rfc2307
         idmap config CCENTER : range = 1000-50000

What they mean is, use the winbind 'ad' backend with rfc2307 attributes 
and ignore any uidNumbers & gidNumbers that fall outside the range 

'513' is less than '1000' so will be ignored, and as 'Domain Users' is 
the users primary group and must have a valid gidNumber, all users are 

Try this, give 'Domain Users' a larger gidNumber:

ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)'

Change 'gidNumber: 513'

To 'gidNumber: 10513'

Now try 'getent passwd domainuser'


More information about the samba mailing list