[Samba] Failed to find domain Unix Group
Rowland penny
rpenny at samba.org
Wed Jul 13 13:32:34 UTC 2016
On 13/07/16 13:33, Carlos A. P. Cunha wrote:
>
> I got it, so it must have been the problem ..
> Strange that changed it more than one month at least.
> Having these values now, how do you think I do?
> Leave it or change at least the idmap config * values: range?
>
> I understand the parameters:
>
> idmap config *: range = Range of the Ids are User system
>
> idmap config SERVERAD: range: DC User Range
>
> Thank you
>
>
> Em 13-07-2016 05:16, Rowland penny escreveu:
>> On 13/07/16 03:20, Carlos A. P. Cunha wrote:
>>>
>>> Can return old id, returning the old values (changed the most at
>>> least two months)
>>>
>>> idmap config *: backend = tdb
>>> idmap config *:range = 5000-16777216
>>> idmap config SERVERAD: backend = rid
>>> idmap config SERVERAD: range = 5000-33554431
>>>
>>> The error parrou also, but I think the fact that a group with the
>>> same ID / GID if the User to the fact that the idmap values be
>>> crossing, even so I changed them (mentioned above)
>>>
>>> Thank you
>>>
>>>
>>
>> Do not change the lower range value on a Samba fileserver once set,
>> you can raise the upper value, but there is a proviso, the ranges
>> must not overlap. This means your lines above are invalid, they both
>> start at '5000' and the entire '*' range is inside the 'SERVERAD' range.
>>
>> If you change the lower range and you are using the 'rid' backend,
>> all your IDs will change.
>>
>> Rowland
>>
>
OK, you need to find out just who owns what on your systems, if you find
that something belongs to a number or to a user that it shouldn't, then
you have problems.
If you look on the Samba wiki page for setting up a domain member, you
will find this for using the 'rid' backend:
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
The ranges were chosen for a reason, the '*' range '2000-9999' is large
enough for any windows SID-RIDS that need mapping and leaves room below
the range for any local Unix users that may be required. The domain
range starts at '10000', this is also the standard start number if you
use ADUC & the Unix Attributes tab. If needed, the range can be extended
by raising '99999' to whatever is required, this can be done whenever
required, just don't change '10000'
If practicable, you could use the above ranges, but if it takes less
work to keep the ranges you are using now, then stay with them, what I
am trying to say is, go with whatever is easiest, just make sure that
ranges do not overlap.
Rowland
More information about the samba
mailing list