[Samba] WINBIND: UID and GID false mappings on domain member

rawi only4com at web.de
Fri Aug 12 16:41:19 UTC 2016

Thank you Rowland for looking into this!

>> WHAT I DO NOT GET CORRECTLY are the UID and GID of users and groups 
>> on the domain member (PARTIALLY DEPENDING if I have the lines with 
>> "idmap config *:..." or not ??? - see below)
> «  [hide part of quote]
> Have you added uidNumber & gidNumber attributes to the user & 
> groupobjects in AD ? 

Not myself, I simply provisioned with --use-rfc2307

> I take it you are using bind9 as the nameserver and you have set it up 
> correctly ? 
> In which case you will have a line similar to this in 
> named.conf.options: 
>         forwarders {;; }; 
> So remove 'dns-nameservers' from smb.conf, I don't recognise 
> it, so I suppose Samba won't either, there is the setting 'dns 
> forwarder' but this is only used with the internal DNS server and you 
> wouldn't use '' 

Well, I simplified the tale:
I wanted to have only one domain for all, samba and the rest. Not a
subdomain for samba.
I have all in bind9 and dhcp. So I looked samba's dnsupdates the first time,
took the dns records and put them fixed in bind9. All the rest records of
the clients will be generated (included list) from a script. In DHCP I have
mostly static assignments.
Then I deleted dnsupdate from samba's roles. It works good, forward and

>  > # [netlogon] is on the member server and defined in the user's object 
> I suggest you put it back

I will. In my eyes is netlogon a share, like each other and the DC shouldn't
share files.
I thought, it would have been enough to have the netlogon pointer to the
file server - in the user's LDAP object.

>> objectClass: posixAccount
> «  [hide part of quote]
> You do not need and should not add the POSIX objectclasses 

I didn't. I used samba-tool to add the user and the group. And I tried to
use the most of the parameters of "user add", to learn and see what happens.
So samba-tool did it.

> Have you given 'Domain Users' a gidNumber inside the range 5000-30000 ?

No, Domain Users has no GID.
Until now it was unimportant to me. All my users are in the group "hg_allg"
with GID 5001. As primary group in unix passwd in the old NT domain.

Oh, I remember something awkward...

Till couple of days ago, I got the users UID but NOT THE GROUP's GID. THIS
ALWAYS without the lines "idmap config *:..."
I could login from a joined Windows 8.1, I got the logon script running
(from the domain member), but the home was not bound to the HOMEDIR. This
could happen, because at that time the UID came correctly and matched the
old UID of the user.

I got today a kernel update.... and the situation changed, like I said...
Now I get GID but no UID.

Somehow spooky...


View this message in context: http://samba.2283325.n4.nabble.com/WINBIND-UID-and-GID-false-mappings-on-domain-member-tp4706553p4706560.html
Sent from the Samba - General mailing list archive at Nabble.com.

More information about the samba mailing list