[Samba] ldbedit: no matching records - cannot edit (newly-created user)

Jim Seymour jseymour at LinxNet.com
Thu Sep 10 19:06:47 UTC 2015 

On Thu, 10 Sep 2015 18:55:08 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:

[snip]
> 
> Yes, after I engaged my brain, idmap.ldb contains the mappings of
> Domain users & groups to Unix users & groups and they only get into
> idmap.ldb after samba (on the DC) first pulls the users info from AD,
> it only does this when the user or group first contacts the AD DC
> i.e. the user logs in.

Ho-ly smokes, what an incredibly clunky thing this Samba4 thing is.
It's as if the developers set out how to create MS-Win domain support
in a way that is as decoupled from, and as hostile to, *nix as they
possibly could.

And the docs... lead one all over hell's half acre... pointlessly, it
turns out, because much of what the docs say to do simply does not work.

(I'm trying to get roaming profiles going while waiting for answers to
this thread.  They don't work, either.)

> I think you are going to have to rethink this, the users (or groups)
> RID will always be unique in the domain, so you could use this to
> create a uidNumber or gidNumber and add this to the user (or group)
> object.

Are you suggesting that, for the existing users with hundreds or even
thousands of files on a server with about 1TB of storage, I need to
change all their UIDs and GIDs, and all the user and group ownerships
for all their network storage files and directories, to suit this thing?

A UID number of "3000024" is *way* outside the UID_MAX value for an
out-of-the-box Linux system.  (Ubuntu 14.04 LTS is 60000.)

Yeah, you're right: I'm going to have to re-think this.  My boss
suggested, in the IT meeting this morning, that this isn't going to be
worth the trouble.  I disagreed.  Now I'm not so sure.  Every step I
take is riddled with incorrect and misleading documentation, and people
telling me "You shouldn't/can't do it that way."

Thanks for your attempt to help, tho.  It truly *is* appreciated.  I'm
going to walk away from this for the remainder of the day, take care of
a bunch of piddly little annoying admin stuff that's been held in
abeyance while I tackled this project, and decide in the morning.  I
rarely give up, but this is looking like throwing good time after bad.

And, yes, to those who might rightfully take offence to my complaining
about the quality of something I'm getting for free: It's all (or
mostly, anyway) volunteers doing it out of the goodness of their
hearts.  Believe me: I know.  BTDT GTTS to prove it.  But still...

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

More information about the samba mailing list