[Samba] Failed to find domain Unix Group

Wed Jul 13 02:48:03 UTC 2016

I forgot to mention in the previous post, I do not have any of the "idmap
config" parameters in the smb.conf on any of the DCs.  I only use those
parameters on member servers.  I would try commenting those out on your
DC(s) and restarting samba and see if that helps.

Mike E.

On Tue, Jul 12, 2016 at 10:20 PM, Carlos A. P. Cunha <
carlos.hollow at gmail.com> wrote:

> Can return old id, returning the old values (changed the most at least
> two months)
>
> idmap config *: backend = tdb
> idmap config *:range = 5000-16777216
> idmap config SERVERAD: backend = rid
> idmap config SERVERAD: range = 5000-33554431
>
> The error parrou also, but I think the fact that a group with the same ID
> / GID if the User to the fact that the idmap values be crossing, even so
> I changed them ( mentioned above)
>
> Thank you
>
> Em 12-07-2016 18:26, Data Control Systems - Mike Elkevizth escreveu:
>
> I had the same (or similar) issue on my DCs with the gid being 100 and the
> uids being in the 3000000 range.   I'm not sure if you've already set these
> in your smb.conf, but the relevant section in mine is:
>
> idmap_ldb:use rfc2307 = yes
> template shell = /bin/bash   #only needed so AD users can log into the DC
> locally
> winbind use default domain = yes
> winbind enum users  = yes
> winbind enum groups = yes
>
> I also have to use the command 'net cache flush' on a semi-regular basis
> (I run it via a cron job), or it seems that the DCs will eventually revert
> back to the incorrect mappings.  I'm guessing that what happens is that
> winbind checks for the rfc2307 value and for some reason it doesn't get a
> response and then it adds an entry into the idmap.ldb file.  Winbind then
> seems to prefer the idmap.ldb entry over the rfc2307 values.  I'm not sure
> about all the details, but it works for me.
>
> Mike E.
>
>
> On Tue, Jul 12, 2016 at 4:58 PM, Rowland penny <rpenny at samba.org> wrote:
>
>> On 12/07/16 21:46, Carlos A. P. Cunha wrote:
>>
>>>
>>> Note: This working because I had to change all the permissions and the
>>> files were left with various "waste" of old permissions.
>>>
>>>
>>> Thanks
>>>
>>>
>>> Em 12-07-2016 17:44, Carlos A. P. Cunha escreveu:
>>>
>>>>
>>>> Hello!
>>>> Sorry for the confusion this where SERVER is SERVERAD(right)
>>>> At the time this all to work, but still followed the message! Errors in
>>>> logs.
>>>> And I'm afraid to change again.
>>>>
>>>> : - |
>>>>
>>>>
>>>> Em 12-07-2016 17:40, Rowland penny escreveu:
>>>>
>>>>> OK, you posted your smb.conf from your fileserver, it contained these
>>>>> lines:
>>>>>
>>>>> workgroup = SERVER
>>>>>
>>>>> and
>>>>>
>>>>> idmap config SERVERAD: backend = rid
>>>>> # I changed values for test
>>>>> idmap config SERVERAD: range = 1000000000 to 9999999999
>>>>>
>>>>> I understand you changed the workgroup to post your smb.conf, but are
>>>>> the actual names for 'SERVER' and 'SERVERAD' the same in your smb.conf,
>>>>> because they should be.
>>>>>
>>>>> This doesn't explain why you are getting private groups, could you
>>>>> check your AD to see if the groups exist.
>>>>>
>>>>
>>>>
>>>
>> I don't understand how your users/groups changed their IDs, on the DC
>> RIDs are mapped and stored in idmap.ldb, you are also using the winbind
>> 'rid' backend and again, the user/group IDs are mapped from the RID by the
>> algorithm:
>>
>>  ID = RID - BASE_RID + LOW_RANGE_ID
>>
>> The BASE_RID is '0' so this becomes:
>>
>> ID = RID + LOW_RANGE_ID
>>
>> So unless you changed the range in smb.conf, your user/group IDs
>> shouldn't change.
>>
>> I still don't understand where your private groups are coming from,
>> unless, are you running sssd or nlscd as well as winbindd ??
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>