[Samba] Failed to find domain Unix Group

Carlos A. P. Cunha carlos.hollow at gmail.com
Thu Jul 14 13:16:53 UTC 2016 

Hello!! Hehehe
Then, as already changed the values and problem had my idei and leave 
everything as it was, the two

idmap config *: range = 5000-16777216
idmap config SERVERAD: range = 5000-33554431


It is running more than one year and occurred only problems that I 
changed, I know the right and leave the range as you passed, but I can 
not have the ID change issues again (caused much headache).

So I was in doubt even if the only change
idmap config *: range =
to a lower value as 2000-4500, which impacts can I have?
Since this is not the range of DC User.

Thank you again.


Em 14-07-2016 09:36, Rowland penny escreveu:
> On 14/07/16 13:32, Carlos A. P. Cunha wrote:
>>
>> Hello!
>> Any opinion on that?
>> Thank you
>>
>>
>> Em 13-07-2016 10:52, Carlos A. P. Cunha escreveu:
>>>
>>> Thank you for the explanation.
>>> Yes, it was a mistake to leave my two faxias that way, by the ID 
>>> exchange reason the low range will leave as it was to have no problems
>>> idmap config SERVERAD: range = 5000-33554431
>>>
>>> The range of up'm thinking of changing to something
>>> idmap config *: range = 2000-4500
>>>
>>> Not to be superimposed.
>>>
>>> But it will it not cause problem ids trading again? Since it was 
>>> before both inciado in 50000
>>>
>>> The procimo server will not make this mistake.
>>>
>>> Final doubt, I promise heheh :-D
>>>
>>> Thanks
>>>
>>>
>>> Em 13-07-2016 10:32, Rowland penny escreveu:
>>>> On 13/07/16 13:33, Carlos A. P. Cunha wrote:
>>>>>
>>>>> I got it, so it must have been the problem ..
>>>>> Strange that changed it more than one month at least.
>>>>> Having these values now, how do you think I do?
>>>>> Leave it or change at least the idmap config * values: range?
>>>>>
>>>>> I understand the parameters:
>>>>>
>>>>> idmap config *: range = Range of the Ids are User system
>>>>>
>>>>> idmap config SERVERAD: range: DC User Range
>>>>>
>>>>> Thank you
>>>>>
>>>>>
>>>>> Em 13-07-2016 05:16, Rowland penny escreveu:
>>>>>> On 13/07/16 03:20, Carlos A. P. Cunha wrote:
>>>>>>>
>>>>>>> Can return old id, returning the old values (changed the most at 
>>>>>>> least two months)
>>>>>>>
>>>>>>> idmap config *: backend = tdb
>>>>>>> idmap config *:range = 5000-16777216
>>>>>>> idmap config SERVERAD: backend = rid
>>>>>>> idmap config SERVERAD: range = 5000-33554431
>>>>>>>
>>>>>>> The error parrou also, but I think the fact that a group with 
>>>>>>> the same ID / GID if the User to the fact that the idmap values 
>>>>>>> be crossing, even so I changed them (mentioned above)
>>>>>>>
>>>>>>> Thank you
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Do not change the lower range value on a Samba fileserver once 
>>>>>> set, you can raise the upper value, but there is a proviso, the 
>>>>>> ranges must not overlap. This means your lines above are invalid, 
>>>>>> they both start at '5000' and the entire '*' range is inside the 
>>>>>> 'SERVERAD' range.
>>>>>>
>>>>>> If you change the lower range and you are using the 'rid' 
>>>>>> backend, all your IDs will change.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>>
>>>> OK, you need to find out just who owns what on your systems, if you 
>>>> find that something belongs to a number or to a user that it 
>>>> shouldn't, then you have problems.
>>>>
>>>> If you look on the Samba wiki page for setting up a domain member, 
>>>> you will find this for using the 'rid' backend:
>>>>
>>>>         # Default idmap config used for BUILTIN and local accounts/groups
>>>>         idmap config *:backend = tdb
>>>>         idmap config *:range = 2000-9999
>>>>
>>>>         # idmap config for domain SAMDOM
>>>>         idmap config SAMDOM:backend = rid
>>>>         idmap config SAMDOM:range = 10000-99999
>>>>
>>>> The ranges were chosen for a reason, the '*' range '2000-9999' is 
>>>> large enough for any windows SID-RIDS that need mapping and leaves 
>>>> room below the range for any local Unix users that may be required. 
>>>> The domain range starts at '10000', this is also the standard start 
>>>> number if you use ADUC & the Unix Attributes tab. If needed, the 
>>>> range can be extended by raising '99999' to whatever is required, 
>>>> this can be done whenever required, just don't change '10000'
>>>>
>>>> If practicable, you could use the above ranges, but if it takes 
>>>> less work to keep the ranges you are using now, then stay with 
>>>> them, what I am trying to say is, go with whatever is easiest, just 
>>>> make sure that ranges do not overlap.
>>>>
>>>> Rowland
>>>>
>>>
>>
>
> Sorry, didn't realise you were asking a question :-[
>
> As long as the ranges do not overlap and you can work around any 
> possible problems (note: I am not saying you will have problems, but 
> possibly may have problems), then, the range you suggest will work.
>
> Rowland
>

More information about the samba mailing list