[Samba] ADS domain member: winbind fails [SOLVED]

Rowland Penny rpenny at samba.org
Sun Jan 1 13:40:52 UTC 2017

On Sun, 1 Jan 2017 13:45:11 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 2017-01-01 um 13:29 schrieb Rowland Penny via samba:
> > Try checking in AD, as you have classicupgraded, your users should
> > have uidNumber attributes. Find the lowest and the highest, do the
> > same for groups and if you change to the 'ad' backend and set the
> > range based on your lowest and highest numbers (remembering you
> > will probably want to add new users, so add something to the
> > highest number), you should get the same IDs you had on the PDC.
> > You will have to remove the users from /etc/passwd though.
> > 
> > The ranges on the wiki were chosen for:
> > the '*' range starts at 2000 so that it allows for any local Unix
> > users & groups you may require, it ends at 9999.
> > The 'DOMAIN' range starts at 10000, this is where ADUC starts from,
> > you can end it where you like.
> > 
> > The whole idea behind AD is having just one place to maintain users,
> > so you do not and should not have users in multiple databases.
> I was bold now.
> rm-ed users from memberserver:/etc/passwd
> stopped samba services, edited backend to "ad", restarted
> seems to work for me ;-)


> same to do on DC, I assume (we run 3 administrative shares there as
> well)

If you are thinking of adding the 'idmap config' lines to the
smb.conf, then don't. On earlier versions of Samba they do nothing, but
from 4.5.0 they cause errors.
If a user has a uidNumber, this will be used on a DC instead of the
xidNumber stored in idmap.ldb, though you may have to run 'net cache


More information about the samba mailing list