[Samba] Member server - winbind unable to resolve users/groups
buhorojo.lcb at gmail.com
Sun Apr 5 06:47:59 MDT 2015
On 05/04/15 14:25, Rowland Penny wrote:
> On 05/04/15 13:10, Luca Olivetti wrote:
>> El 05/04/15 a les 11:57, Rowland Penny ha escrit:
>>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
>>>> gidNumber: 513
>>> I think that could very well be your problem, you have these lines in
>>> the smb.conf on your member server:
>>> idmap config CCENTER : backend = ad
>>> idmap config CCENTER : schema_mode = rfc2307
>>> idmap config CCENTER : range = 1000-50000
>>> What they mean is, use the winbind 'ad' backend with rfc2307 attributes
>>> and ignore any uidNumbers & gidNumbers that fall outside the range
>>> '513' is less than '1000' so will be ignored, and as 'Domain Users' is
>>> the users primary group and must have a valid gidNumber, all users are
>>> Try this, give 'Domain Users' a larger gidNumber:
>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)'
>>> Change 'gidNumber: 513'
>>> To 'gidNumber: 10513'
>>> Now try 'getent passwd domainuser'
>> Wouldn't it be better to simply change the range to 500-50000?
>> If he's like me, he'll have many hundreds gigabites of files with those
Of course it would.
> Well yes, but I wanted to show the OP the relation between what the
> uidNumber attribute holds and the range set in smb.conf. If what I
> propose works (and I sure it will), I would have then advised the OP
> to reset Domain Users back to 513, but I would also have pointed out
> that you now cannot have *ANY* local users or groups!
500 as a lower range is perfectly reasonable. Have you never heard of
> I would also have pointed out that the lowest uid on Debian/Ubuntu,
> that is not a system user, is 1000, so using the range '500-50000' is
> not a good idea.
More information about the samba