[Samba] Problem with one User after upgrade to 4.5.0

Paul R. Ganci ganci at nurdog.com
Sun Oct 9 18:55:55 UTC 2016

On 10/09/2016 12:14 PM, Rowland Penny via samba wrote:
> OK, what I was trying to get at, if you use 'uidNumbers' starting at
> '3000000' and have problems, you have no real way of knowing if it is
> an idmap problem or a problem with Samba. Using a different range makes
> it easier to tell.
> As for the uidNumbers being independent of the the xidNumbers, this is
> not a problem, this is my info from AD via getent:
> root at dc1:~# getent passwd rowland
> SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
Yes I understand. When I setup the Samba DC on 4.0 I had all kinds of 
issues with the mapping. I had started with RID and then you convinced 
me to go to the AD backend several years ago (2013). Why I picked the 
numbers I did... well it seemed like a good idea at the time. More 
recently I found from the wiki that ADUC can be used to set the UNIX 
attributes which will start in the range you show. If I wanted to change 
is it not as simple as using ldbedit -H /var/lib/samba/private/sam.ldb 
and changing the values and then using chown to make the directories 
owned by the proper uid?
> How did you change to using winbind instead of the internal DNS server,
> did you follow the Samba wiki ?
I never was using the internal DNS server. I provisioned using BIND_DLZ 
back when I created the DC on 4.0.x. I never had a problem until more 
recently when the DNS didn't update after making changes using 
samba-tool. That is where I found the wiki 
https://wiki.samba.org/index.php/Changing_the_DNS_backend  and followed 
the instructions there. The missing element I think is

server services -dns

I have always been using the AD backend with winbind from day one to get 
the UNIX attributes. It has worked just fine.

> I wouldn't bother changing your uidNumber attributes, now you have it
> working.
> I would like to take you to task over 'winbindd  which is adequate for
> my purposes'. Anything that sssd can do, winbind can do, in fact sssd
> uses some of the code from winbind.
I am sorry but on this point I will disagree mostly because I have 
chosen to use CentOS 6 (moving to 7) and the sernet-samba packages. 
There have been several threads which indicate that there are problems 
using sssd working with sernet-samba. For example I just ran into the 
one described in this thread 
https://lists.samba.org/archive/samba/2015-March/190477.html - 
[Samba]sssd-ad cannot be installed with sernet samba. Moreover I spent 
several weeks trying to get this to work back in november 2013. See 
thread [Samba]User home directory UID:GID incorrect on VM Samba 4 AD 
client. I think some of the issue is that the CentOS sssd is old. Some 
of the problem is that the sernet-samba packages put stuff in unexpected 
places. Some of the install can be worked out with manually creating 
links. But ultimately I could never get sssd to pull out the 4 things... 
user shell, home directory and proper uid & gid necessary to work with 
linux. FWIW I have always found winbind just to work albeit it there are 
limitations compared to a working sssd.

Paul (ganci at nurdog.com)
Cell: (303)257-5208

More information about the samba mailing list