[Samba] Problem with AD & idmap

Rowland Penny rpenny at samba.org
Wed Mar 2 13:11:33 UTC 2022

On Wed, 2022-03-02 at 13:31 +0100, Lars Schimmer via samba wrote:
> Hi
> After cleaning up a domain (remove old Computer and users from the
> AD),
> removing smbV1 from the Win2016 servers and getting a new krbtgtkey
> (with the ms provided PS script), our samb AD bind is somewhat
> broken.

Have you tried leaving the domain and then re-joining ?

>   idmap config * : backend = tdb
>   idmap config * : range = 99000000-99999999
>   #idmap config for the XYZ domain
>   idmap config XYZ:backend = ad
>   #idmap config XYZ:schema_mode = template
>   idmap config XYZ:schema_mode = rfc2307
>   idmap config XYZ:range = 100-98999999

If the uidNumbers in AD start at '1000', then the low range for 'XYZ'
should start at '1000'

> It worked until we did cleanup the domain.
> Now we miss the users.
> With wbinfo -u /-g we do see all users and groups.

wbinfo just shows that the users exist in AD, it doesn't mean that
winbind will find them and pas this info to the OS.

> With getent group it shows the groups with a gid added, including
> Domain
> Users.
> With getent passwd it shows the local users and ONLY the members of
> the
> Administerator group, no other user.
> (removing the  idmap config XYZ:range = 100-98999999 shows more
> users,
> but not all)

Don't do that, it puts everything into the default domain and they do
not belong there.

> All users should be in the uidnumber 1000-9999 range (not all Domain
> users do have the uidnumber, but the tested ones do have, as they do
> show up in wbinfo -u).

Any users that do not have a uidNumber will be ignored.

> wbinfo -u does show user schimmer.
> While trying to resolv the user, we get errors:
> wbinfo -i schimmer
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user schimmer
> wbinfo -n schimmer
> S-1-5-21-606634686-2143625475-3072335171-1502 SID_USER (1)
> wbinfo -S S-1-5-21-606634686-2143625475-3072335171-1502
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid S-1-5-21-606634686-2143625475-3072335171-1502
> to uid
> Logfile tells me:
> idmap_ad_sids_to_unixids: No xid in CN=Lars
> Schimmer,DC=cgv,DC=tugraz,DC=at
> So, whats the xid here, which is missing?
> And why does it show the members of the administrator group and not
> all
> users, which are all (even the adminsitrators) in the Domain Users
> group?
> Anyone have a tip on howto go on to fix this?

Try re-joining and if this fails, please post your entire smb.conf.


More information about the samba mailing list