[Samba] Windows pre-requisites for login with winbind?

A. James Lewis james at fsck.co.uk
Wed Aug 23 14:39:19 UTC 2017

OK, that is the answer, but can you explain what an "RID" is from a Windows perspective?... I had thought that the mapping was not a 1-1, and it appears it is, once the idmap range is taken into account.

idmap config DOMAIN:range = 5000-300000

My UID's appear to be offset by 5000 from the RID... but I'd love to know exactly what RID is.

Many thanks tho, I probably should have tried increasing this cap earlier!


August 23, 2017 3:26 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:

> On Wed, 23 Aug 2017 13:27:01 +0000
> "A. James Lewis via samba" <samba at lists.samba.org> wrote:
>> I have to confess here, that on trying again, to get the error... I
>> restarted everything to ensure there were no errant messages, and now
>> installing libpam-krb5 does not cause a problem... the users are
>> assigned a kerberos ticket when logging in which is nice too...
>> I must thank you and Rowland both, since I have learned a lot about
>> how Kerberos works in this process, and debugged some issues that
>> would probably have bitten me in future.
>> However, my original problem remains!...
>> That problem is more clearly defined now, "Some users do not show up
>> with 'getent passwd username', while most do."
> This is very strange, you are now using the 'rid' backend, so all your
> users (and groups) in AD should be shown by 'getent passwd username'.
> As long as they are in AD with a RID, idmap_rid should map the RID to a
> Unix ID and as long as the ID is inside the range set in smb.conf for
> the domain, they should be returned. Thinking about it, I wonder if
> this is the problem ? Try sticking another 0 onto the end of the
> 'DOMAIN' high range. if that doesn't work, run this command:
> wbinfo -n rowland | awk -F '-' '{print $8}' | awk '{print $1}'
> Replace 'rowland' with your missing username, the output will be the
> users RID, this plus '5000' should be inside '5000-10000'
>> Those users can authenticate with Kerberos, and they are listed by
>> wbinfo... but cannot log in, since they don't have a "password file
>> entry".
> The users shouldn't have a "password file entry", everything should
> come from AD via winbind.
>> What I need to find out is how it is that some users can
>> authenticate, and are listed by wbinfo... BUT do not get mapped into
>> what would be the password map.
>> Could it be that one side or the other is not supporting 32 bit
>> UID's... how would I tell?... can I query what the output of IDMAP
>> would be with something like wbinfo, rather than getent passwd... so
>> that I can see if there is an issue here?
>> How to go about debugging the IDMAP!?.
> Is there anything in either the Unix logs or the Windows event logs ?
> Is there anything strange about the missing usernames, any accents,
> start with a number, that sort of thing.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

A. James Lewis (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the samba mailing list