[Samba] ADS domain member: winbind fails [SOLVED]
rpenny at samba.org
Sun Jan 1 13:40:52 UTC 2017
On Sun, 1 Jan 2017 13:45:11 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> Am 2017-01-01 um 13:29 schrieb Rowland Penny via samba:
> > Try checking in AD, as you have classicupgraded, your users should
> > have uidNumber attributes. Find the lowest and the highest, do the
> > same for groups and if you change to the 'ad' backend and set the
> > range based on your lowest and highest numbers (remembering you
> > will probably want to add new users, so add something to the
> > highest number), you should get the same IDs you had on the PDC.
> > You will have to remove the users from /etc/passwd though.
> > The ranges on the wiki were chosen for:
> > the '*' range starts at 2000 so that it allows for any local Unix
> > users & groups you may require, it ends at 9999.
> > The 'DOMAIN' range starts at 10000, this is where ADUC starts from,
> > you can end it where you like.
> > The whole idea behind AD is having just one place to maintain users,
> > so you do not and should not have users in multiple databases.
> I was bold now.
> rm-ed users from memberserver:/etc/passwd
> stopped samba services, edited backend to "ad", restarted
> seems to work for me ;-)
> same to do on DC, I assume (we run 3 administrative shares there as
If you are thinking of adding the 'idmap config' lines to the
smb.conf, then don't. On earlier versions of Samba they do nothing, but
from 4.5.0 they cause errors.
If a user has a uidNumber, this will be used on a DC instead of the
xidNumber stored in idmap.ldb, though you may have to run 'net cache
More information about the samba