[Samba] Member server - winbind unable to resolve users/groups

Rowland Penny rowlandpenny at googlemail.com
Sun Apr 5 07:08:33 MDT 2015


On 05/04/15 13:47, buhorojo wrote:
> On 05/04/15 14:25, Rowland Penny wrote:
>> On 05/04/15 13:10, Luca Olivetti wrote:
>>> El 05/04/15 a les 11:57, Rowland Penny ha escrit:
>>>
>>>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>>>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
>>>>> gidNumber: 513
>>>>>
>>>>>
>>>> I think that could very well be your problem, you have these lines in
>>>> the smb.conf on your member server:
>>>>
>>>>          idmap config CCENTER : backend = ad
>>>>          idmap config CCENTER : schema_mode = rfc2307
>>>>          idmap config CCENTER : range = 1000-50000
>>>>
>>>> What they mean is, use the winbind 'ad' backend with rfc2307 
>>>> attributes
>>>> and ignore any uidNumbers & gidNumbers that fall outside the range
>>>> '1000-50000'
>>>>
>>>> '513' is less than '1000' so will be ignored, and as 'Domain Users' is
>>>> the users primary group and must have a valid gidNumber, all users are
>>>> ignored.
>>>>
>>>> Try this, give 'Domain Users' a larger gidNumber:
>>>>
>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)'
>>>>
>>>> Change 'gidNumber: 513'
>>>>
>>>> To 'gidNumber: 10513'
>>>>
>>>> Now try 'getent passwd domainuser'
>>> Wouldn't it be better to simply change the range to 500-50000?
>>> If he's like me, he'll have many hundreds gigabites of files with those
>>> uids/gids
>>>
>>> Bye
>>>
> Of course it would.

Whilst what you are proposing is a possibility, I would never recommend 
using an ID number so low.

>>
>> Well yes, but I wanted to show the OP the relation between what the 
>> uidNumber attribute holds and the range set in smb.conf. If what I 
>> propose works (and I sure it will), I would have then advised the OP 
>> to reset Domain Users back to 513, but I would also have pointed out 
>> that you now cannot have *ANY* local users or groups!
> 500 as a lower range is perfectly reasonable. Have you never heard of 
> /etc/login.defs?

Yes I have, so what do propose changing in it ? bearing in mind that 
what ever is changed in it will have to be changed on every Unix machine 
in the domain, which sort of defeats the idea of central authentication.

Rowland

>>
>> I would also have pointed out that the lowest uid on Debian/Ubuntu, 
>> that is not a system user, is 1000, so using the range '500-50000' is 
>> not a good idea.
>>
>> Rowland
>



More information about the samba mailing list