[Samba] idmap_ad problem and workaround

Rowland penny rpenny at samba.org
Tue Jan 26 19:35:30 UTC 2016

On 26/01/16 18:48, Joe Maloney wrote:
> Hello all,
> Samba Version 4.1.21 on 8 servers as member servers configured with
> idmap_ad.  I have all the RFC2307 attributes configured for every user, and
> group.  I wrote a script to ensure that.  I have scripts in place to make
> sure I don't have duplicates, show users without attributes, etc.  I also
> filter out the users I don't want to see by placing them outside of the
> range set aside for idmap_ad, and outside of the range used by samba.
> In the last few weeks users belong to domain users group quit working.
> Only users who have been previously added to domain admins show up with
> getent passwd.  All groups show up.  I know this had to be a change at the
> active directory level because it was working.  Suddenly each server just
> stopped working like a domino effect at different days all within the same
> week.
> If I temporarily add a user to domain admins, and then remove that access
> it fixes the problem.  Even if I reboot the server the user remains fixed
> so it's not just a temporary issue.  Has anyone ever seen anything like
> this?  I am willing to upgrade to a newer samba version.  I am just trying
> for my own sanity to figure out what may have caused the issue when things
> have been working for months without issue.
> Joe Maloney

I think you need to give us some more info, what are the DCs running ? 
can we see a smb.conf from the member servers, this type of thing.


More information about the samba mailing list