[Samba] Failed to find domain Unix Group

Carlos A. P. Cunha carlos.hollow at gmail.com
Fri Jul 15 12:53:56 UTC 2016 

Hello!

I changed to


idmap config *: range = 2000-4500

The BUILTIN:

uid=5500(administrator) gid=5513(domain users) groups=5513(domain 
users),5500(administrator),5520(group policy creator 
owners),5519(enterprise admins),9130(servad-1 $ acronis remote 
users),6530(kladmins),5518(schema admins),5512(domain 
admins),*2001(BUILTIN\users),2000(BUILTIN\administrators)*

I think this will get better then, so do not have overlapping values


Em 14-07-2016 10:16, Carlos A. P. Cunha escreveu:
>
> Hello!! Hehehe
> Then, as already changed the values and problem had my idei and leave 
> everything as it was, the two
>
> idmap config *: range = 5000-16777216
> idmap config SERVERAD: range = 5000-33554431
>
>
> It is running more than one year and occurred only problems that I 
> changed, I know the right and leave the range as you passed, but I can 
> not have the ID change issues again (caused much headache).
>
> So I was in doubt even if the only change
> idmap config *: range =
> to a lower value as 2000-4500, which impacts can I have?
> Since this is not the range of DC User.
>
> Thank you again.
>
>
> Em 14-07-2016 09:36, Rowland penny escreveu:
>> On 14/07/16 13:32, Carlos A. P. Cunha wrote:
>>>
>>> Hello!
>>> Any opinion on that?
>>> Thank you
>>>
>>>
>>> Em 13-07-2016 10:52, Carlos A. P. Cunha escreveu:
>>>>
>>>> Thank you for the explanation.
>>>> Yes, it was a mistake to leave my two faxias that way, by the ID 
>>>> exchange reason the low range will leave as it was to have no problems
>>>> idmap config SERVERAD: range = 5000-33554431
>>>>
>>>> The range of up'm thinking of changing to something
>>>> idmap config *: range = 2000-4500
>>>>
>>>> Not to be superimposed.
>>>>
>>>> But it will it not cause problem ids trading again? Since it was 
>>>> before both inciado in 50000
>>>>
>>>> The procimo server will not make this mistake.
>>>>
>>>> Final doubt, I promise heheh :-D
>>>>
>>>> Thanks
>>>>
>>>>
>>>> Em 13-07-2016 10:32, Rowland penny escreveu:
>>>>> On 13/07/16 13:33, Carlos A. P. Cunha wrote:
>>>>>>
>>>>>> I got it, so it must have been the problem ..
>>>>>> Strange that changed it more than one month at least.
>>>>>> Having these values now, how do you think I do?
>>>>>> Leave it or change at least the idmap config * values: range?
>>>>>>
>>>>>> I understand the parameters:
>>>>>>
>>>>>> idmap config *: range = Range of the Ids are User system
>>>>>>
>>>>>> idmap config SERVERAD: range: DC User Range
>>>>>>
>>>>>> Thank you
>>>>>>
>>>>>>
>>>>>> Em 13-07-2016 05:16, Rowland penny escreveu:
>>>>>>> On 13/07/16 03:20, Carlos A. P. Cunha wrote:
>>>>>>>>
>>>>>>>> Can return old id, returning the old values (changed the most 
>>>>>>>> at least two months)
>>>>>>>>
>>>>>>>> idmap config *: backend = tdb
>>>>>>>> idmap config *:range = 5000-16777216
>>>>>>>> idmap config SERVERAD: backend = rid
>>>>>>>> idmap config SERVERAD: range = 5000-33554431
>>>>>>>>
>>>>>>>> The error parrou also, but I think the fact that a group with 
>>>>>>>> the same ID / GID if the User to the fact that the idmap values 
>>>>>>>> be crossing, even so I changed them (mentioned above)
>>>>>>>>
>>>>>>>> Thank you
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Do not change the lower range value on a Samba fileserver once 
>>>>>>> set, you can raise the upper value, but there is a proviso, the 
>>>>>>> ranges must not overlap. This means your lines above are 
>>>>>>> invalid, they both start at '5000' and the entire '*' range is 
>>>>>>> inside the 'SERVERAD' range.
>>>>>>>
>>>>>>> If you change the lower range and you are using the 'rid' 
>>>>>>> backend, all your IDs will change.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>
>>>>> OK, you need to find out just who owns what on your systems, if 
>>>>> you find that something belongs to a number or to a user that it 
>>>>> shouldn't, then you have problems.
>>>>>
>>>>> If you look on the Samba wiki page for setting up a domain member, 
>>>>> you will find this for using the 'rid' backend:
>>>>>
>>>>>         # Default idmap config used for BUILTIN and local accounts/groups
>>>>>         idmap config *:backend = tdb
>>>>>         idmap config *:range = 2000-9999
>>>>>
>>>>>         # idmap config for domain SAMDOM
>>>>>         idmap config SAMDOM:backend = rid
>>>>>         idmap config SAMDOM:range = 10000-99999
>>>>>
>>>>> The ranges were chosen for a reason, the '*' range '2000-9999' is 
>>>>> large enough for any windows SID-RIDS that need mapping and leaves 
>>>>> room below the range for any local Unix users that may be 
>>>>> required. The domain range starts at '10000', this is also the 
>>>>> standard start number if you use ADUC & the Unix Attributes tab. 
>>>>> If needed, the range can be extended by raising '99999' to 
>>>>> whatever is required, this can be done whenever required, just 
>>>>> don't change '10000'
>>>>>
>>>>> If practicable, you could use the above ranges, but if it takes 
>>>>> less work to keep the ranges you are using now, then stay with 
>>>>> them, what I am trying to say is, go with whatever is easiest, 
>>>>> just make sure that ranges do not overlap.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>
>> Sorry, didn't realise you were asking a question :-[
>>
>> As long as the ranges do not overlap and you can work around any 
>> possible problems (note: I am not saying you will have problems, but 
>> possibly may have problems), then, the range you suggest will work.
>>
>> Rowland
>>
>

More information about the samba mailing list