[Samba] 4.5 -> 4.8 samba fails to start

L.P.H. van Belle belle at bazuin.nl
Wed Jun 20 13:09:55 UTC 2018

> also think that Debian did a very stupid thing 
> when they
> gave 'nobody' the ID of '65534', but you just have to work around it.

Good point here, i'll drop that also at the debian samba bug list. 

Totaly forgot about nobody and uid 65534.. 
In dutch.. "Het kwartje valt...." ( A penny drops.. ) hihi.. 
But its  "it finally makes sense"  
... why people on debian have problem with nobody, i never use nobody.

Haha (sorry about that joke) :-p 
I could not resist that..  Please forgive me :-)



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: woensdag 20 juni 2018 14:57
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] 4.5 -> 4.8 samba fails to start
> On Wed, 20 Jun 2018 12:52:00 +0200
> L.P.H. van Belle <belle at bazuin.nl> wrote:
> > Hai Rowland, 
> > 
> > Can you reply on this list message with an "adviced" member AD
> > settting? ( see also ) 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899269 
> > 
> > I always go wrong the the vfs settings. 
> > 
> OK, lets start with, Samba recommends using 'winbind' on Unix domain
> members, it does not supply or support using sssd. That doesn't mean
> there is anything wrong with sssd, it just isn't a Samba product and
> virtually anything sssd can do, winbind can do.
> When you create a Unix domain member, you will have several groups
> of users & groups stored in several places, these are:
> The local Unix system users and groups, these will have IDs in the
> '0-999' range (note: red-hat used to use '0-500')
> Next comes the local Unix users and groups, these will start at ID
> '1000'
> Finally you will need a couple of ranges for:
> A) The 'Well known SIDs' and anything outside the Domain
> B) The Domain (or Domains) users and groups
> I hope you can see that the AD users and groups IDs cannot start from
> less than '1000', though starting at such a low number would mean that
> you couldn't have ANY local Unix users or groups and you need a few
> local Unix users, just in case something drastic goes wrong with AD.
> So, what I recommend is, use '1000-2999' for local Unix users &
> groups, '3000-7999' for the 'Well known SIDS' and anything outside the
> Domain and start the main AD DOMAIN at '10000' (which is, 
> incidentally,
> the number Microsoft chose).
> This leads to lines such as these in smb.conf:
>     idmap config *:backend = tdb
>     idmap config *:range = 3000-7999
>     idmap config SAMDOM : backend = rid
>     idmap config SAMDOM : range = 10000-999999
> NOTE: There is also the 'ad' backend, but I will not go into 
> that here,
> we are discussing 'ranges' and it is just a matter of adding a few
> extra lines and these depend on your Samba version.
> There is advice out there that says that you should put the '*' range
> above the 'SAMDOM' range, but there is a problem with this. There are
> less than 200 'Well Known SIDs' and if you do put the '*' range above
> the 'SAMDOM' range, what happens if your number of users grows to the
> point that it reaches the low end of the '*' range ? Whereas, if the
> '*' range is below the 'SAMDOM' range, it will never get in the way.
> As an aside, I also think that Debian did a very stupid thing 
> when they
> gave 'nobody' the ID of '65534', but you just have to work around it.
> I would also suggest you read this:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list