[Samba] Domain Users group with multiple gid

Clemente Aguiar ca-mlsamba at arditi.pt
Thu Apr 12 17:06:40 UTC 2018

> No dia 10/04/2018, às 15:04, Rowland Penny via samba <samba at lists.samba.org> escreveu:
> On Tue, 10 Apr 2018 14:46:50 +0100
> Clemente Aguiar <ca-mlsamba at arditi.pt> wrote:
>>> I don't have that many users and I really want to fix it, and I
>>> don't have a problem with fixing file ownership.
> If you do change them, you will have to reset ownership of any files &
> dirs
>>> You say "just remove the uidNumber & gidNumber attributes", does
>>> this mean that new IDs will be assigned automatically?
> They possibly have been allocated already, but if not, then yes. There
> is a bit of a gotcha though, if you have more than one DC, they will
> probably get different Unix IDs on each DC.
>>> And most important, can you tell me exactly how to do this (remove
>>> the uidNumber & gidNumber attributes), i.e what are the commands, I
>>> would really appreciate. Like I said in the initial post, I have
>>> little knowledge about Samba4.
> The easiest way would be to use ldbedit on the DC. Open a terminal and
> enter this:
> ldbedit -e nano -H /usr/local/samba/private/sam.ldb
> Replace 'nano' with your favourite editor and
> '/usr/local/samba/private' with the path to 'sam.ldb' on your system.
> Search for all instances of 'uidNumber' & 'gidNumber' and delete them
> all (remove the entire line and close up the gap)
> Save and close the editor, your users & groups will get new 'xidNumber'
> attributes in idmap.ldb as they connect to AD.
> Rowland

Hi Rowland,

Just to let you know a few things.

First, based on the command that you mentioned, I viewed idmap.ldb and searched for the duplicate id (1901) and there it was.
Removed the entire record, and the initial problem that I reported (duplicate gid for Domain Users) was fixed.

This is the record I remove:
# record 133
dn: CN=S-1-5-21-1969551146-1524703261-742246316-513
cn: S-1-5-21-1969551146-1524703261-742246316-513
objectClass: sidMap
objectSid: S-1-5-21-1969551146-1524703261-742246316-513
xidNumber: 1901
distinguishedName: CN=S-1-5-21-1969551146-1524703261-742246316-513

Secondly, I tried removing the uidNumber atribute from one user (myself) on a test machine and when saving I got the following error:

failed to modify CN=Clemente Aguiar,CN=Users,DC=arditi,DC=pt - objectclass_attrs: at least one mandatory attribute ('uidNumber') on entry 'CN=Clemente Aguiar,CN=Users,DC=arditi,DC=pt' wasn't specified!

So I suppose that I cannot fix the low id numbers as you mentioned.


More information about the samba mailing list