[Samba] Failed to find domain Unix Group

Rowland penny rpenny at samba.org
Wed Jul 13 13:32:34 UTC 2016


On 13/07/16 13:33, Carlos A. P. Cunha wrote:
>
> I got it, so it must have been the problem ..
> Strange that changed it more than one month at least.
> Having these values now, how do you think I do?
> Leave it or change at least the idmap config * values: range?
>
> I understand the parameters:
>
> idmap config *: range = Range of the Ids are User system
>
> idmap config SERVERAD: range: DC User Range
>
> Thank you
>
>
> Em 13-07-2016 05:16, Rowland penny escreveu:
>> On 13/07/16 03:20, Carlos A. P. Cunha wrote:
>>>
>>> Can return old id, returning the old values (changed the most at 
>>> least two months)
>>>
>>> idmap config *: backend = tdb
>>> idmap config *:range = 5000-16777216
>>> idmap config SERVERAD: backend = rid
>>> idmap config SERVERAD: range = 5000-33554431
>>>
>>> The error parrou also, but I think the fact that a group with the 
>>> same ID / GID if the User to the fact that the idmap values be 
>>> crossing, even so I changed them (mentioned above)
>>>
>>> Thank you
>>>
>>>
>>
>> Do not change the lower range value on a Samba fileserver once set, 
>> you can raise the upper value, but there is a proviso, the ranges 
>> must not overlap. This means your lines above are invalid, they both 
>> start at '5000' and the entire '*' range is inside the 'SERVERAD' range.
>>
>> If you change the lower range and you are using the 'rid' backend, 
>> all your IDs will change.
>>
>> Rowland
>>
>

OK, you need to find out just who owns what on your systems, if you find 
that something belongs to a number or to a user that it shouldn't, then 
you have problems.

If you look on the Samba wiki page for setting up a domain member, you 
will find this for using the 'rid' backend:

        # Default idmap config used for BUILTIN and local accounts/groups
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999

        # idmap config for domain SAMDOM
        idmap config SAMDOM:backend = rid
        idmap config SAMDOM:range = 10000-99999


The ranges were chosen for a reason, the '*' range '2000-9999' is large 
enough for any windows SID-RIDS that need mapping and leaves room below 
the range for any local Unix users that may be required. The domain 
range starts at '10000', this is also the standard start number if you 
use ADUC & the Unix Attributes tab. If needed, the range can be extended 
by raising '99999' to whatever is required, this can be done whenever 
required, just don't change '10000'

If practicable, you could use the above ranges, but if it takes less 
work to keep the ranges you are using now, then stay with them, what I 
am trying to say is, go with whatever is easiest, just make sure that 
ranges do not overlap.

Rowland



More information about the samba mailing list