[Samba] Problems with groups, minimum gidnumber?

Rowland penny rpenny at samba.org
Fri May 15 13:32:55 UTC 2020

On 15/05/2020 13:48, Harald Hannelius wrote:
> I created a script that looped on 'getent passwd' from the old DC. It 
> called samba-tool and pdbedit to add the users;
> samba-tool user create $username Some2pass/e --use-username-as-cn 
> --nis-domain=sad --unix-home=$home --uid-number=$uid 
> --login-shell=/bin/bash --gid-number=100 --given-name="${givenname}" 
> --surname="${surname}" --gecos "$gecos"
> pdbedit --set-nt-hash=$passhash $username

Two things wrong with that, you do not need to use pdbedit  to set the 
users password, the samba-tool command does it for you and you have set 
the every users gidNumber to '100'. The '100' comes from idmap.ldb on a DC:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513
cn: S-1-5-21-1768301897-3342589593-1064908849-513
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-513
xidNumber: 100
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513

This is where 'Domain Users' (the RID 513) is mapped to '100' (the Unix 
ID for the 'users' group)

Unless you have added a gidNumber attribute containing '100' to a group 
in AD, no users have a group, but even if you have, the '100' is less 
than the DOMAIN low range '500', so it and all users will be ignored.

If you are now saying, but I do get users, then you probably have the 
same users in AD and /etc/passwd, this is not allowed, delete them from 

>>> I have some 300 + groups that I'm trying to get migrated to our 
>>> Samba 4 AD.
>> Why do need over 300 groups ?
> We have an intra filesystem that is over 15 years old.
And you are trying to make AD work like your old ldap ;-)
>>> I can create the groups, but it looks from the domain-member's side 
>>> that groups don't work as I expect them to.

Please read this: 

and this: https://wiki.samba.org/index.php/Idmap_config_ad


More information about the samba mailing list