[Samba] ADS domain member: winbind fails [SOLVED]

Rowland Penny rpenny at samba.org
Sun Jan 1 12:29:13 UTC 2017

On Sun, 1 Jan 2017 12:46:54 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 2017-01-01 um 12:25 schrieb Rowland Penny via samba:
> >> main ~ # getent passwd ads1
> >> ads1:*:13112:10513::/home/ARBEITSGRUPPE/ads1:/bin/false
> > 
> > Are these the numbers you want to use ?
> > I ask this because you are using the 'rid' backend, but will
> > probably also have uidNumber & gidNumber attributes in AD.
> As mentioned before:
> "rid" is only chosen because I switched to that while trying to make
> things work. No decision made here.
> And the numbers: same. Just copy and paste from the wiki, no choice
> made.
> >> As mentioned old users are in /etc/passwd on the member server from
> >> the time when it was the NT4-PDC. I might/should remove them from
> >> that file now?
> > 
> > Oh definitely 'should' ;-)
> > 
> > if you look in /etc/nsswitch.conf, the passwd line will be something
> > like this:
> > 
> > passwd:         compat winbind
> > 
> > This means that /etc/passwd will be checked first and any users
> > found there will be used instead of from AD, also you should not be
> > able to create new users in AD if they already exist
> > in /etc/passwd. You only need users and groups stored in one place
> > and that is AD.
> So that scares me again. rm-ing users from /etc/passwd will now change
> their UIDs because it gets them from winbindd/AD then?

Try checking in AD, as you have classicupgraded, your users should have
uidNumber attributes. Find the lowest and the highest, do the same for
groups and if you change to the 'ad' backend and set the range based on
your lowest and highest numbers (remembering you will probably want to
add new users, so add something to the highest number), you should get
the same IDs you had on the PDC. You will have to remove the users
from /etc/passwd though.

The ranges on the wiki were chosen for:
the '*' range starts at 2000 so that it allows for any local Unix users
& groups you may require, it ends at 9999.
The 'DOMAIN' range starts at 10000, this is where ADUC starts from, you
can end it where you like.

The whole idea behind AD is having just one place to maintain users,
so you do not and should not have users in multiple databases.
> In passwd I have UIDs up from 1000 as usual.
> I don't *have* to maintain the old UIDs, the admin there is perfectly
> happy if we start over with new ones and just do the initial "chown"
> and "chmod" if needed .... they just share one fat share within one
> group basically (sounds like overkill, right? ;-) )

You may feel that you need to renumber your users, but this will have
to be your decision, it all boils down to what works for you ;-)


More information about the samba mailing list