[Samba] Member server - winbind unable to resolve users/groups

Andrey Repin anrdaemon at yandex.ru
Sun Apr 5 13:07:13 MDT 2015

Greetings, Rowland Penny!

>>>>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>>>>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
>>>>>> gidNumber: 513
>>>>> I think that could very well be your problem, you have these lines in
>>>>> the smb.conf on your member server:
>>>>>          idmap config CCENTER : backend = ad
>>>>>          idmap config CCENTER : schema_mode = rfc2307
>>>>>          idmap config CCENTER : range = 1000-50000
>>>>> What they mean is, use the winbind 'ad' backend with rfc2307 
>>>>> attributes
>>>>> and ignore any uidNumbers & gidNumbers that fall outside the range
>>>>> '1000-50000'
>>>>> '513' is less than '1000' so will be ignored, and as 'Domain Users' is
>>>>> the users primary group and must have a valid gidNumber, all users are
>>>>> ignored.
>>>>> Try this, give 'Domain Users' a larger gidNumber:
>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)'
>>>>> Change 'gidNumber: 513'
>>>>> To 'gidNumber: 10513'
>>>>> Now try 'getent passwd domainuser'

I have enough Linux members to see the apparent issues of such change.
I'd need to get to every one of them and change file permissions to the new

>>>> Wouldn't it be better to simply change the range to 500-50000?
>>>> If he's like me, he'll have many hundreds gigabites of files with those
>>>> uids/gids
>>>> Bye
>> Of course it would.

> Whilst what you are proposing is a possibility, I would never recommend 
> using an ID number so low.

It isn't "so" low, and there would not be new mapped groups of ids in that
range, since main winbind configuration is on dedicated system, and it is set
higher than that. So, I see no apparent issue allowing it to work straight.
If I ever need a new installation, then of course I'd heed your warning.

>>> Well yes, but I wanted to show the OP the relation between what the
>>> uidNumber attribute holds and the range set in smb.conf. If what I 
>>> propose works (and I sure it will), I would have then advised the OP 
>>> to reset Domain Users back to 513, but I would also have pointed out 
>>> that you now cannot have *ANY* local users or groups!
>> 500 as a lower range is perfectly reasonable. Have you never heard of 
>> /etc/login.defs?

> Yes I have, so what do propose changing in it ? bearing in mind that 
> what ever is changed in it will have to be changed on every Unix machine 
> in the domain, which sort of defeats the idea of central authentication.

I'll have to get to every machine in domain to upgrade Samba and tune its
While it is a taxing task in itself, it is faster and easier, than to turn the
system upside down by changing every file permissions I'm not satisfied with.

>>> I would also have pointed out that the lowest uid on Debian/Ubuntu,
>>> that is not a system user, is 1000, so using the range '500-50000' is 
>>> not a good idea.

That is only a suggestion. To now, I've never seen a system with more than 150
system users in production. However small my sample of *NIX systems has been.
So, I find the suggestion to lower the idmap range reasonable.

In retrospect, the problem wasn't worth a cracked egg. As always. x.x

root at dc1~# ldbsearch -s sub -H /var/lib/samba/private/sam.ldb '(|(gidnumber)(uidnumber))' gidnumber uidnumber | grep -i "^.idnumber" | cut -d" " -f 2 | sort -un
root at member~# getent group | cut -d: -f 3 | sort -un

Exclude uid's 0 and 65534. Compare the lists. If results are satisfactory, set
the idmap range to include lowest xid from the SAM database.

Also, login.defs explained why I've got so high RID's in my database.
Turned out, I've created the setup in Hardy, where it was largely ignored, but
I've added many users in 10.04, where the setup was already different.
UID_MAX/GID_MAX is 60000 in login.defs, and smbldap-tools selected RID's above
local range to represent domain members.

Thanks for not losing hope on me. I've got the basic setup working now.
The promised writeup will be up soon enough. May be in a week.
I have some stuff to attend to in the meantime, that I was pushing away last 2

With best regards,
Andrey Repin
Sunday, April 5, 2015 21:07:19

Sorry for my terrible english...

More information about the samba mailing list