[Samba] Problem with one User after upgrade to 4.5.0

Rowland Penny rpenny at samba.org
Sun Oct 9 19:14:06 UTC 2016

On Sun, 9 Oct 2016 12:55:55 -0600
"Paul R. Ganci via samba" <samba at lists.samba.org> wrote:

> On 10/09/2016 12:14 PM, Rowland Penny via samba wrote:
> > OK, what I was trying to get at, if you use 'uidNumbers' starting at
> > '3000000' and have problems, you have no real way of knowing if it
> > is an idmap problem or a problem with Samba. Using a different
> > range makes it easier to tell.
> >
> > As for the uidNumbers being independent of the the xidNumbers, this
> > is not a problem, this is my info from AD via getent:
> >
> > root at dc1:~# getent passwd rowland
> > SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> Yes I understand. When I setup the Samba DC on 4.0 I had all kinds of 
> issues with the mapping. I had started with RID and then you
> convinced me to go to the AD backend several years ago (2013). Why I
> picked the numbers I did... well it seemed like a good idea at the
> time. More recently I found from the wiki that ADUC can be used to
> set the UNIX attributes which will start in the range you show. If I
> wanted to change is it not as simple as using ldbedit
> -H /var/lib/samba/private/sam.ldb and changing the values and then
> using chown to make the directories owned by the proper uid?

Yes, it would be as simple as that, provided you haven't got a lot of
users, if you have a lot of users, it would get monotonous.
> > How did you change to using winbind instead of the internal DNS
> > server, did you follow the Samba wiki ?
> I never was using the internal DNS server. I provisioned using
> BIND_DLZ back when I created the DC on 4.0.x. I never had a problem
> until more recently when the DNS didn't update after making changes
> using samba-tool. That is where I found the wiki 
> https://wiki.samba.org/index.php/Changing_the_DNS_backend  and
> followed the instructions there. The missing element I think is
> server services -dns

OK, I only asked because you would normally have this line in smb.conf:

server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate

if you provision with Bind9, but '-dns' means the same.

> I have always been using the AD backend with winbind from day one to
> get the UNIX attributes. It has worked just fine.
> > I wouldn't bother changing your uidNumber attributes, now you have
> > it working.
> >
> > I would like to take you to task over 'winbindd  which is adequate
> > for my purposes'. Anything that sssd can do, winbind can do, in
> > fact sssd uses some of the code from winbind.
> I am sorry but on this point I will disagree mostly because I have 
> chosen to use CentOS 6 (moving to 7) and the sernet-samba packages. 
> There have been several threads which indicate that there are
> problems using sssd working with sernet-samba. For example I just ran
> into the one described in this thread 
> https://lists.samba.org/archive/samba/2015-March/190477.html - 
> [Samba]sssd-ad cannot be installed with sernet samba. Moreover I
> spent several weeks trying to get this to work back in november 2013.
> See thread [Samba]User home directory UID:GID incorrect on VM Samba 4
> AD client. I think some of the issue is that the CentOS sssd is old.
> Some of the problem is that the sernet-samba packages put stuff in
> unexpected places. Some of the install can be worked out with
> manually creating links. But ultimately I could never get sssd to
> pull out the 4 things... user shell, home directory and proper uid &
> gid necessary to work with linux. FWIW I have always found winbind
> just to work albeit it there are limitations compared to a working
> sssd.

I think I must have misunderstood what you were trying to say, because
what you have written seems to say 'don't use sssd'.


More information about the samba mailing list