[Samba] Member server - winbind unable to resolve users/groups

Rowland Penny rowlandpenny at googlemail.com
Sun Apr 5 13:37:56 MDT 2015

On 05/04/15 20:07, Andrey Repin wrote:
> Greetings, Rowland Penny!
>>>>>>> dn: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
>>>>>>> objectSid: S-1-5-21-1031481445-3291699540-3997755762-513
>>>>>>> gidNumber: 513
>>>>>> I think that could very well be your problem, you have these lines in
>>>>>> the smb.conf on your member server:
>>>>>>           idmap config CCENTER : backend = ad
>>>>>>           idmap config CCENTER : schema_mode = rfc2307
>>>>>>           idmap config CCENTER : range = 1000-50000
>>>>>> What they mean is, use the winbind 'ad' backend with rfc2307
>>>>>> attributes
>>>>>> and ignore any uidNumbers & gidNumbers that fall outside the range
>>>>>> '1000-50000'
>>>>>> '513' is less than '1000' so will be ignored, and as 'Domain Users' is
>>>>>> the users primary group and must have a valid gidNumber, all users are
>>>>>> ignored.
>>>>>> Try this, give 'Domain Users' a larger gidNumber:
>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(cn=Domain Users)'
>>>>>> Change 'gidNumber: 513'
>>>>>> To 'gidNumber: 10513'
>>>>>> Now try 'getent passwd domainuser'
> I have enough Linux members to see the apparent issues of such change.
> I'd need to get to every one of them and change file permissions to the new
> gid.
>>>>> Wouldn't it be better to simply change the range to 500-50000?
>>>>> If he's like me, he'll have many hundreds gigabites of files with those
>>>>> uids/gids
>>>>> Bye
>>> Of course it would.
>> Whilst what you are proposing is a possibility, I would never recommend
>> using an ID number so low.
> It isn't "so" low, and there would not be new mapped groups of ids in that
> range, since main winbind configuration is on dedicated system, and it is set
> higher than that. So, I see no apparent issue allowing it to work straight.
> If I ever need a new installation, then of course I'd heed your warning.
>>>> Well yes, but I wanted to show the OP the relation between what the
>>>> uidNumber attribute holds and the range set in smb.conf. If what I
>>>> propose works (and I sure it will), I would have then advised the OP
>>>> to reset Domain Users back to 513, but I would also have pointed out
>>>> that you now cannot have *ANY* local users or groups!
>>> 500 as a lower range is perfectly reasonable. Have you never heard of
>>> /etc/login.defs?
>> Yes I have, so what do propose changing in it ? bearing in mind that
>> what ever is changed in it will have to be changed on every Unix machine
>> in the domain, which sort of defeats the idea of central authentication.
> I'll have to get to every machine in domain to upgrade Samba and tune its
> config.
> While it is a taxing task in itself, it is faster and easier, than to turn the
> system upside down by changing every file permissions I'm not satisfied with.
>>>> I would also have pointed out that the lowest uid on Debian/Ubuntu,
>>>> that is not a system user, is 1000, so using the range '500-50000' is
>>>> not a good idea.
> That is only a suggestion. To now, I've never seen a system with more than 150
> system users in production. However small my sample of *NIX systems has been.
> So, I find the suggestion to lower the idmap range reasonable.
> In retrospect, the problem wasn't worth a cracked egg. As always. x.x
> root at dc1~# ldbsearch -s sub -H /var/lib/samba/private/sam.ldb '(|(gidnumber)(uidnumber))' gidnumber uidnumber | grep -i "^.idnumber" | cut -d" " -f 2 | sort -un
> root at member~# getent group | cut -d: -f 3 | sort -un
> Exclude uid's 0 and 65534. Compare the lists. If results are satisfactory, set
> the idmap range to include lowest xid from the SAM database.
> Also, login.defs explained why I've got so high RID's in my database.
> Turned out, I've created the setup in Hardy, where it was largely ignored, but
> I've added many users in 10.04, where the setup was already different.
> UID_MAX/GID_MAX is 60000 in login.defs, and smbldap-tools selected RID's above
> local range to represent domain members.
> Thanks for not losing hope on me. I've got the basic setup working now.
> The promised writeup will be up soon enough. May be in a week.
> I have some stuff to attend to in the meantime, that I was pushing away last 2
> months.

I think, from what posted, you have now got the gist of setting up 
winbind, I know I initially didn't get it and had problems and blamed 
winbind. Once I did get it working, I could see just where I had been 
going wrong and couldn't really believe just how easy it was to set up, 
now that I understood it :-D

More information about the samba mailing list