[Samba] userid shows 4294967295

L.P.H. van Belle belle at bazuin.nl
Tue Dec 8 10:57:13 UTC 2015 

Hai Nico, 

You can change de defaults in samba, but read the whole e-mail first.

Look here. http://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC 

Per default Active Directory starts assigning UIDs/GIDs both at 10000
Adapt the following two attributes to your needs and save the changes.
msSFU30MaxUidNumber: 10000
msSFU30MaxGidNumber: 10000

If you run the following, you can change the UID/GID. 
Be take notice of the following. 
Debian PAM had settings with minimum uid=1000 so change then also if needed. 
There may be more thens to adjust to uid 500+.  

############ copy past this. ( 6 lines, beware for line breaks. ) 
# works if you dns domain has 2 dots  like internal.domain.tld 
# 
NETBIOSNAME=$(samba-tool domain info `hostname -f` | grep Netbios | cut -d":" -f2 | cut -c2-100)

FOREST_DC=$(samba-tool domain info `hostname -f` | grep Forest | cut -d":" -f2)

FOREST_SUB_DC1=$(echo $FOREST_DC | cut -d"." -f1| cut -c1-100)
FOREST_SUB_DC2=$(echo $FOREST_DC | cut -d"." -f2| cut -c1-100)
FOREST_SUB_DC3=$(echo $FOREST_DC | cut -d"." -f3)

# 
ldbedit -H /var/lib/samba/private/sam.ldb -s base -b CN=${NETBIOSNAME},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=${FOREST_SUB_DC1},DC=${FOREST_SUB_DC2},DC=${FOREST_SUB_DC3}
############ copy past this. 


BUT ! 

What i would do in you case. 

Export the current users to csv from the old domain. 
Import the user with the correct uid and same for the groups. 

Leave the samba defaults uid/gid at 10000.
So for every new you start of 10000, this way you can slowly move away from the low uid/gids. 

I have a csv setup like this. 
		
Department;First_Letter_of_firstname.;Surename;Firstname_full;loginname;phone-nr;emailadres;


And i import like this ;
cat /home/samba/backup/users.csv | awk -F ";" '{system("/usr/bin/samba-tool user create "$5" --mail-address="$7" \
--given-name="$2" --surname=\""$3"\" --telephone-number="$6" --department="$1" --description=\""$1"\" \
--random-password --userou=ou=Company ")}';

For you just add things from below: 

  --rfc2307-from-nss    Copy Unix user attributes from NSS (will be overridden
                        by explicit UID/GID/GECOS/shell)
  --nis-domain=NIS_DOMAIN
                        User's Unix/RFC2307 NIS domain
  --unix-home=UNIX_HOME
                        User's Unix/RFC2307 home directory
  --uid=UID             User's Unix/RFC2307 username
  --uid-number=UID_NUMBER
                        User's Unix/RFC2307 numeric UID
  --gid-number=GID_NUMBER
                        User's Unix/RFC2307 primary GID number
  --gecos=GECOS         User's Unix/RFC2307 GECOS field
  --login-shell=LOGIN_SHELL
                        User's Unix/RFC2307 login shell


So a few suggestions which you can adapt to you environment. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nico De Ranter
> Verzonden: dinsdag 8 december 2015 9:52
> Aan: Rowland penny
> CC: samba
> Onderwerp: Re: [Samba] userid shows 4294967295
> 
> On Mon, Dec 7, 2015 at 5:27 PM, Rowland penny <rpenny at samba.org> wrote:
> 
> > On 07/12/15 16:08, Nico De Ranter wrote:
> >
> >>
> >> I'm coming from a Debian system so my system accounts are below 1000,
> >> regular accounts start at 1000. For some historical reason somebody
> gave
> >> our main group id 500 so therefor I want my usable range to start at
> 500.
> >>
> >
> > Bad idea, you will probably need at least one local Unix user, where are
> > you going to put it. My advice would be to follow the Samba wiki and use
> > the numbers you will find there.
> >
> 
> It may be a bad idea but it is the reality I need to live with.  I'm
> adding
> an AD domain to an existing Linux network.  Renumbering my existing Linux
> users (and therefor ownership of all files on all linux systems) is simply
> out of the question.
> 
> However I intend to assign unix properties to all my users and groups in
> AD
> hand picking the ID's to match the existing ones anyway.  Any new user
> will
> get an id above 10000.
> 
> 
> >
> >
> >> Do I need both idmap config *:range and  idmap config SAMDOM:range?  I
> >> also tried with only 'idmap config *:range' but that didn't seem to
> help.
> >> I'll try again tomorrow.
> >>
> >
> > Yes you do, the first is for the builtin user & group mappings and the
> > second is for your AD users & groups.
> >
> >
> >> I also noticed that my second AD didn't have rfc2307 enabled so that
> may
> >> also have introduced some issues.
> >>
> >
> > Not really, all the info should be in AD, you probably just need to add
> > 'idmap_ldb:use rfc2307 = yes' to smb.conf on the second DC.
> >
> > Rowland
> >
> >
> >> @Stefan Kania, thanks for the 'net cache flush', I didn't know that.
> >>
> >> Nico
> >>
> >>
> Nico
> 
> 
> --
> Nico De Ranter
> 
> Operations Engineer
> 
> T. +32 16 40 12 82
> 
> M. +32 497 91 53 78
> 
> 
> <http://www.esaturnus.com>
> 
> 
> 
> <http://www.esaturnus.com>
> 
> 
> 
> 
> <http://www.esaturnus.com/company/news/313>
> 
> 
> 
> <http://www.esaturnus.com/>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list