[Samba] userid shows 4294967295

Ole Traupe ole.traupe at tu-berlin.de
Mon Dec 7 18:55:51 UTC 2015 

I always wondered why to reserve 8000 IDs for built-in accounts. I see 
~40 built-in groups in ADUC and 2 such users (Administrator and Guest)...

Ole


Am 07.12.2015 um 17:27 schrieb Rowland penny:
> On 07/12/15 16:08, Nico De Ranter wrote:
>>
>> I'm coming from a Debian system so my system accounts are below 1000, 
>> regular accounts start at 1000. For some historical reason somebody 
>> gave our main group id 500 so therefor I want my usable range to 
>> start at 500.
>
> Bad idea, you will probably need at least one local Unix user, where 
> are you going to put it. My advice would be to follow the Samba wiki 
> and use the numbers you will find there.
>
>>
>> Do I need both idmap config *:range and  idmap config SAMDOM:range?  
>> I also tried with only 'idmap config *:range' but that didn't seem to 
>> help.  I'll try again tomorrow.
>
> Yes you do, the first is for the builtin user & group mappings and the 
> second is for your AD users & groups.
>
>>
>> I also noticed that my second AD didn't have rfc2307 enabled so that 
>> may also have introduced some issues.
>
> Not really, all the info should be in AD, you probably just need to 
> add 'idmap_ldb:use rfc2307 = yes' to smb.conf on the second DC.
>
> Rowland
>
>>
>> @Stefan Kania, thanks for the 'net cache flush', I didn't know that.
>>
>> Nico
>>
>>
>> On Mon, Dec 7, 2015 at 4:27 PM, Rowland penny <rpenny at samba.org 
>> <mailto:rpenny at samba.org>> wrote:
>>
>>     On 07/12/15 12:52, Nico De Ranter wrote:
>>
>>         Hello again,
>>
>>         I'm getting close to a working setup but still run into
>>         glitches here and
>>         there.
>>
>>         I have 2 Ubuntu servers working as AD server, one Ubuntu
>>         desktop with
>>         winbind configured.   I've setup a number of accounts with Unix
>>         properties.  I've been primarily testing with my own account
>>         which works
>>         just fine.  I've now assigned Unix properties to another
>>         account. When I
>>         run 'wbinfo -i' on the AD server I see the correct info:
>>
>>         root at dc1:~# wbinfo -i test
>> OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false
>>
>>         When I try the same thing on the client I get:
>>
>>         root at testpc2:~# wbinfo -i test
>>         test:*:4294967295:4294967295::/home/test:/bin/bash
>>
>>         I also tried some other accounts and got the same result.  The
>>         only account
>>         that seems to work fine is my own account (and no it is not in
>>         /etc/passwd
>>         :-)
>>
>>         Any idea what might be wrong?
>>
>>         smb.conf on the client:
>>
>>         [global]
>>                 security = ADS
>>                 workgroup = OFFICE
>>                 realm = WIN.OFFICE
>>
>>                 log file = /var/log/samba/%m.log
>>                 log level = 1
>>
>>                 dedicated keytab file = /etc/krb5.keytab
>>                 kerberos method = secrets and keytab
>>
>>                 winbind refresh tickets = yes
>>                 winbind trusted domains only = no
>>                 winbind use default domain = yes
>>                 winbind enum users  = yes
>>                 winbind enum groups = yes
>>                 winbind offline logon = yes
>>
>>                 client signing = yes
>>                 client use spnego = yes
>>
>>                 idmap config = ad
>>                 winbind nss info = rfc2307
>>
>>                  # Default idmap config used for BUILTIN and local
>>         accounts/groups
>>                 idmap backend = tdb
>>                 idmap range = 100-499
>>
>>                 # idmap config for domain OFFICE
>>                 idmap config OFFICE : backend = ad
>>                 idmap config OFFICE : schema_mode = rfc2307
>>                 idmap config OFFICE : range = 500-29999
>>
>>
>>     Your 'idmap config' block really should look like this:
>>
>>        idmap config *:backend = tdb
>>        idmap config *:range = 2000-9999
>>        idmap config SAMDOM:backend = ad
>>        idmap config SAMDOM:schema_mode = rfc2307
>>        idmap config SAMDOM:range = 10000-99999
>>
>>     Also why are you using such strange ID numbers?
>>
>>     Rowland
>>
>>         It worked for the user with uid 1048, it doesn't work for uid
>>         1059, 1000,
>>         9999, 10000
>>
>>
>>
>>     --     To unsubscribe from this list go to the following URL and 
>> read the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>>
>> -- 
>> Nico De Ranter
>>
>> Operations Engineer
>>
>> T. +32 16 40 12 82
>>
>> M. +32 497 91 53 78
>>
>>
>> <http://www.esaturnus.com>
>>
>>
>>
>> <http://www.esaturnus.com>
>>
>>
>>
>>
>> **
>>
>> *
>> * <http://www.esaturnus.com/company/news/313>
>>
>>
>> <http://www.esaturnus.com/>
>

More information about the samba mailing list