[Samba] idmap_ad problem and workaround

Joe Maloney jpm820 at gmail.com
Tue Jan 26 18:48:56 UTC 2016

Hello all,
Samba Version 4.1.21 on 8 servers as member servers configured with
idmap_ad.  I have all the RFC2307 attributes configured for every user, and
group.  I wrote a script to ensure that.  I have scripts in place to make
sure I don't have duplicates, show users without attributes, etc.  I also
filter out the users I don't want to see by placing them outside of the
range set aside for idmap_ad, and outside of the range used by samba.

In the last few weeks users belong to domain users group quit working.
Only users who have been previously added to domain admins show up with
getent passwd.  All groups show up.  I know this had to be a change at the
active directory level because it was working.  Suddenly each server just
stopped working like a domino effect at different days all within the same

If I temporarily add a user to domain admins, and then remove that access
it fixes the problem.  Even if I reboot the server the user remains fixed
so it's not just a temporary issue.  Has anyone ever seen anything like
this?  I am willing to upgrade to a newer samba version.  I am just trying
for my own sanity to figure out what may have caused the issue when things
have been working for months without issue.

Joe Maloney

More information about the samba mailing list