[Samba] Problems after upgrade from Samba3/OpenLDAP to Samba4 - New Useraccounts aren't properly working

Rowland Penny rpenny at samba.org
Wed Jan 23 13:04:08 UTC 2019

On Wed, 23 Jan 2019 13:10:04 +0100 (CET)
Jens G√ľnther <guenther at soscomp.de> wrote:

> Thank you so much for your replies. In the meantime, I was able to
> talk to the consultant again, who - as you already suspect - did the
> "classicupgrade" with us. He explained to me that we changed from
> rfc2307 to rid after the classic upgrade. 

Did he explain why you changed to the winbind 'rid' backend ?
Whilst this would have changed all folder & file ownerships on any Unix
domain members, it wouldn't have affected your windows clients.

>Here is a snippet of our
> smb.conf:
>         winbind enum users = yes
>         winbind enum groups = yes

Did he also not advise you that the above two lines should only be used
for testing purposes.

>         winbind use default domain = yes
>         winbind refresh tickets = yes
>         # winbind nss info = rfc2307
>         template shell = /bin/bash
>         ## idmap config for domain DOM
>         #idmap config DOM:backend = rid
>         #idmap config DOM:schema_mode = rfc2307
>         #idmap config DOM:range = 40000-49999
>         idmap backend = tdb
>         idmap config * : range = 900000 - 999999

There is absolutely no reason for allowing for '99,999' users or groups
in the '*' domain, to be honest '999' is too much.

>         idmap config DOM : backend = rid
>         idmap config DOM : range = 400000 - 499999

When was the 'DOM' changed from '40000-49999' to '400000-499999' ?

Have any files or folders been created since the change ?, where any
created before the change ?

> Also a snippet of our nsswitch.conf:
> /etc/nsswitch.conf looks like
> passwd: files winbind
> group: files winbind
> shadow: files winbind

Remove 'winbind' from the shadow line, it shouldn't be there.

> After installing the UNIX Attribute tab in the RSAT by reinstalling
> the "Server for NIS Tools" feature on the management server, I
> noticed that the UIDs/GIDs must have stayed the same before the
> switch to RID. At least for the users other UIDs are displayed in the
> Unix attribute tab. The home path is also wrong. It points to the old
> one before the change. We would be very pleased about further
> solution suggestions. Many thanks in advance for your efforts!

When you ran classicupgrade, it created your users & groups with the
same uidNumber & gidNumber attributes as your old PDC. When you changed
to the 'rid' backend (again, why?), these attributes would just have
been ignored and not removed.

As to how to fix this ?
This depends on how long ago the upgrade was carried out, the amount of
data you have and what the ownership of this data (files & folders on
Unix) is (i.e. does it all show ownership by the correct name, or is
some of it owned by the wrong name or a number).


More information about the samba mailing list