[Samba] ldbedit: no matching records - cannot edit (newly-created user)

Rowland Penny rowlandpenny241155 at gmail.com
Thu Sep 10 19:30:17 UTC 2015

On 10/09/15 20:06, Jim Seymour wrote:
> On Thu, 10 Sep 2015 18:55:08 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> [snip]
>> Yes, after I engaged my brain, idmap.ldb contains the mappings of
>> Domain users & groups to Unix users & groups and they only get into
>> idmap.ldb after samba (on the DC) first pulls the users info from AD,
>> it only does this when the user or group first contacts the AD DC
>> i.e. the user logs in.
> Ho-ly smokes, what an incredibly clunky thing this Samba4 thing is.
> It's as if the developers set out how to create MS-Win domain support
> in a way that is as decoupled from, and as hostile to, *nix as they
> possibly could.

Yes, it works just like a windows AD DC :-)

> And the docs... lead one all over hell's half acre... pointlessly, it
> turns out, because much of what the docs say to do simply does not work.

The 'docs' as you call them are being re-written and aren't so much 
wrong as disorganised, but as I say, they are being re-written.

> (I'm trying to get roaming profiles going while waiting for answers to
> this thread.  They don't work, either.)

Roaming profiles do work and I am sure others will back up this statement.

>> I think you are going to have to rethink this, the users (or groups)
>> RID will always be unique in the domain, so you could use this to
>> create a uidNumber or gidNumber and add this to the user (or group)
>> object.
> Are you suggesting that, for the existing users with hundreds or even
> thousands of files on a server with about 1TB of storage, I need to
> change all their UIDs and GIDs, and all the user and group ownerships
> for all their network storage files and directories, to suit this thing?

This 'thing' as you call it, is a clone of a windows AD DC and as such, 
works just like one.
If you have existing users and groups, you can user their existing 
UID/GID numbers in AD, investigate the 'uidNumber' & 'gidNumber' 
attributes in AD.

> A UID number of "3000024" is *way* outside the UID_MAX value for an
> out-of-the-box Linux system.  (Ubuntu 14.04 LTS is 60000.)

Actually it is a 16bit number, so I suppose it will 65536, it must be 
because 'nobody' is 65534 on debian.

> Yeah, you're right: I'm going to have to re-think this.  My boss
> suggested, in the IT meeting this morning, that this isn't going to be
> worth the trouble.  I disagreed.  Now I'm not so sure.  Every step I
> take is riddled with incorrect and misleading documentation, and people
> telling me "You shouldn't/can't do it that way."

All I can say is that it works if it is set up correctly, most of the 
time when admins have problems with a samba4, it is usually because the 
admin is trying to 'bend' it do something it isn't capable of.

> Thanks for your attempt to help, tho.  It truly *is* appreciated.  I'm
> going to walk away from this for the remainder of the day, take care of
> a bunch of piddly little annoying admin stuff that's been held in
> abeyance while I tackled this project, and decide in the morning.  I
> rarely give up, but this is looking like throwing good time after bad.
> And, yes, to those who might rightfully take offence to my complaining
> about the quality of something I'm getting for free: It's all (or
> mostly, anyway) volunteers doing it out of the goodness of their
> hearts.  Believe me: I know.  BTDT GTTS to prove it.  But still...

It may help us to help you if you explained just what you need to do.

> Regards,
> Jim

More information about the samba mailing list