[Samba] Member server - winbind unable to resolve users/groups

[buhorojo]

On 05/04/15 14:25, Rowland Penny wrote:
> On 05/04/15 13:10, Luca Olivetti wrote:
>> El 05/04/15 a les 11:57, Rowland Penny ha escrit:
>>
>>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
>>>> gidNumber: 513
>>>>
>>>>
>>> I think that could very well be your problem, you have these lines in
>>> the smb.conf on your member server:
>>>
>>>          idmap config CCENTER : backend = ad
>>>          idmap config CCENTER : schema_mode = rfc2307
>>>          idmap config CCENTER : range = 1000-50000
>>>
>>> What they mean is, use the winbind 'ad' backend with rfc2307 attributes
>>> and ignore any uidNumbers & gidNumbers that fall outside the range
>>> '1000-50000'
>>>
>>> '513' is less than '1000' so will be ignored, and as 'Domain Users' is
>>> the users primary group and must have a valid gidNumber, all users are
>>> ignored.
>>>
>>> Try this, give 'Domain Users' a larger gidNumber:
>>>
>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)'
>>>
>>> Change 'gidNumber: 513'
>>>
>>> To 'gidNumber: 10513'
>>>
>>> Now try 'getent passwd domainuser'
>> Wouldn't it be better to simply change the range to 500-50000?
>> If he's like me, he'll have many hundreds gigabites of files with those
>> uids/gids
>>
>> Bye
>>
Of course it would.
>
> Well yes, but I wanted to show the OP the relation between what the 
> uidNumber attribute holds and the range set in smb.conf. If what I 
> propose works (and I sure it will), I would have then advised the OP 
> to reset Domain Users back to 513, but I would also have pointed out 
> that you now cannot have *ANY* local users or groups!
500 as a lower range is perfectly reasonable. Have you never heard of 
/etc/login.defs?
>
> I would also have pointed out that the lowest uid on Debian/Ubuntu, 
> that is not a system user, is 1000, so using the range '500-50000' is 
> not a good idea.
>
> Rowland