[Samba] ADS domain member: winbind fails [SOLVED]

Stefan G. Weichinger lists at xunil.at
Sun Jan 1 15:37:41 UTC 2017

Am 2017-01-01 um 16:04 schrieb Rowland Penny via samba:

> So it looks like you only have 77 users, but cannot have any local Unix
> users because your Unix users start at 1000. How do feel about changing
> the uidNumbers ? 

feels scary and I'd like to avoid that :-)

> if so, the easiest way will be to open the AD database
> with ldbedit:
> ldbedit -e nano -H /usr/local/samba/private/sam.ldb
> Then search through the file for 'uidNumber' and then change the
> contents, I would just add a '0' after the first digit i.e. '1077'
> would become '10077'

And that won't break things??

> Remove the uidNumber that contains '0'

I just have a look via ldbedit, yes, that points to:

distinguishedName: CN=root,CN=Users,DC=arbeitsgruppe,......

> check that Domain Users has a gidNumber attribute and that it contains
> a number in the 10000 range

I doesn't have that attribute as far as I see.
Do i just add that line?

> finally change 'idmap config ARBEITSGRUPPE:range = 1000-9999' to 'idmap
> config ARBEITSGRUPPE:range = 10000-99999' and put the 'idmap config
> SAMDOM : schema_mode = rfc2307' line back.
> restart the Samba deamons, run 'net cache flush' again then run 'getent
> passwd sgw'

Feeling like a blind brain surgeon already ;-)
I have to prepare myself mentally :-)

>> But the group is wrong.
>> # wbinfo --group-info 'domain users'
>> domain users:x:4294967295:
>> What to correct here, please?
> What is in the 'user.map' ?

I followed


# cat user.map
!root = ARBEITSGRUPPE\Administrator

More information about the samba mailing list