[Samba] Member server - winbind unable to resolve users/groups

Rowland Penny rowlandpenny at googlemail.com
Sun Apr 5 06:25:37 MDT 2015

On 05/04/15 13:10, Luca Olivetti wrote:
> El 05/04/15 a les 11:57, Rowland Penny ha escrit:
>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
>>> gidNumber: 513
>> I think that could very well be your problem, you have these lines in
>> the smb.conf on your member server:
>>          idmap config CCENTER : backend = ad
>>          idmap config CCENTER : schema_mode = rfc2307
>>          idmap config CCENTER : range = 1000-50000
>> What they mean is, use the winbind 'ad' backend with rfc2307 attributes
>> and ignore any uidNumbers & gidNumbers that fall outside the range
>> '1000-50000'
>> '513' is less than '1000' so will be ignored, and as 'Domain Users' is
>> the users primary group and must have a valid gidNumber, all users are
>> ignored.
>> Try this, give 'Domain Users' a larger gidNumber:
>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)'
>> Change 'gidNumber: 513'
>> To 'gidNumber: 10513'
>> Now try 'getent passwd domainuser'
> Wouldn't it be better to simply change the range to 500-50000?
> If he's like me, he'll have many hundreds gigabites of files with those
> uids/gids
> Bye

Well yes, but I wanted to show the OP the relation between what the 
uidNumber attribute holds and the range set in smb.conf. If what I 
propose works (and I sure it will), I would have then advised the OP to 
reset Domain Users back to 513, but I would also have pointed out that 
you now cannot have *ANY* local users or groups!

I would also have pointed out that the lowest uid on Debian/Ubuntu, that 
is not a system user, is 1000, so using the range '500-50000' is not a 
good idea.


More information about the samba mailing list