[Samba] WINBIND: UID and GID false mappings on domain member

Rowland Penny rpenny at samba.org
Fri Aug 12 17:04:23 UTC 2016

On Fri, 12 Aug 2016 09:41:19 -0700 (PDT)
rawi via samba <samba at lists.samba.org> wrote:

> Thank you Rowland for looking into this!

> > Have you added uidNumber & gidNumber attributes to the user & 
> > groupobjects in AD ? 
> Not myself, I simply provisioned with --use-rfc2307

Just provisioning with --rfc2307 isn't enough, you personally need to
add any required RFC2307 attributes.

> > I take it you are using bind9 as the nameserver and you have set it
> > up correctly ? 
> > In which case you will have a line similar to this in 
> > named.conf.options: 
> >         forwarders {;; }; 
> > 
> > So remove 'dns-nameservers' from smb.conf, I don't
> > recognise it, so I suppose Samba won't either, there is the setting
> > 'dns forwarder' but this is only used with the internal DNS server
> > and you wouldn't use '' 
> Well, I simplified the tale:
> I wanted to have only one domain for all, samba and the rest. Not a
> subdomain for samba.
> I have all in bind9 and dhcp. So I looked samba's dnsupdates the
> first time, took the dns records and put them fixed in bind9. All the
> rest records of the clients will be generated (included list) from a
> script. In DHCP I have mostly static assignments.
> Then I deleted dnsupdate from samba's roles. It works good, forward
> and reverse.

Can I suggest you put dnsupdate back and then setup bind9 on the DC
correctly. you can if you wish run DHCP elsewhere, but you can also it
on the DC, I can supply instructions if required.

> >  > # [netlogon] is on the member server and defined in the user's
> >  > object 
> > 
> > I suggest you put it back
> I will. In my eyes is netlogon a share, like each other and the DC
> shouldn't share files.
> I thought, it would have been enough to have the netlogon pointer to
> the file server - in the user's LDAP object.
> >> objectClass: posixAccount
> > «  [hide part of quote]
> > 
> > You do not need and should not add the POSIX objectclasses 
> I didn't. I used samba-tool to add the user and the group. And I
> tried to use the most of the parameters of "user add", to learn and
> see what happens. So samba-tool did it.

You must be using an old version of samba-tool, it doesn't do that now.

> > Have you given 'Domain Users' a gidNumber inside the range
> > 5000-30000 ?
> No, Domain Users has no GID.
> Until now it was unimportant to me. All my users are in the group
> "hg_allg" with GID 5001. As primary group in unix passwd in the old
> NT domain.

No they are not:

dn: CN=test,CN=Users,DC=humgen,DC=0zone
primaryGroupID: 513

This makes the users primary group 'Domain Users' and as such, the
primary group must have a gidNumber, or all your users will be ignored
by winbind. Do not think of changing the users primaryGroupID, windows
expects all users to be members of 'Domain Users'

> Oh, I remember something awkward...
> Till couple of days ago, I got the users UID but NOT THE GROUP's GID.
> THIS ALWAYS without the lines "idmap config *:..."
> I could login from a joined Windows 8.1, I got the logon script
> running (from the domain member), but the home was not bound to the
> HOMEDIR. This could happen, because at that time the UID came
> correctly and matched the old UID of the user.
> I got today a kernel update.... and the situation changed, like I
> said... Now I get GID but no UID.
> Somehow spooky...

No, just that you have set up Samba incorrectly, you are trying to use
AD like you used your old NT4-style domain.

Can I suggest that you go and read the Samba wiki:


More information about the samba mailing list