[Samba] Problem with AD & idmap

Lars Schimmer l.schimmer at cgv.tugraz.at
Thu Mar 3 11:05:32 UTC 2022

Am 02.03.2022 um 16:18 schrieb Rowland Penny via samba:
> On Wed, 2022-03-02 at 15:59 +0100, Lars Schimmer via samba wrote:
>> Yeah, but why? Isn't the rix needed?
> There are uidNumber, gidNumber and xidNumber attributes. the xidNumber
> attributes are only found and used on a Samba AD DC. I am not really
> into 'C' , but it looks to me that the relevant code is run on all
> Samba machines, so you get the debug message on a Unix domain member if
> the debug level is turned up to high.

Ok, thx. Nothing for us with Win AD servers.

>>> Have you tried running 'net cache flush' ?
>> yeah, each time I did a change to the smb.conf, I did restart smb,
>> winbind and net cache flush.
>> Also did reboot several times. The result is always the same.
>> With RID backend I get the users, with ad backend not.
> Have you actually looked in AD, does Domain Users have a gidNumber
> attribute ? Do your users have the primaryGroupID attribute set to
> '513' ? Do the relevant users have a uidNumber attribute ?

Why 513?
The Doamin Users Group does have a seperate gid and thats the primary 
group for all users, which all users do have set as gid.

> The fact that the 'rid' idmap backend works, shows that Samba is
> working. When you change to the 'ad' backend and it doesn't work,
> usually means that there is something wrong with the uidNumber &
> gidNumber attributes in AD.
> Try running 'testparm -s', this may show errors.

Yeah, thats the strange part.It did work with the AD config until we did 
clean up (remove accounts), disable SMBv1 and chanbge KrbTGTKLey.
So we did not change any UID oder GID.
And even if, as I did read the above thread correct, a UID and GID in 
range for any user should be enough to work, but it does not for any 
user, except the admins.
And thats strange.

testparm -s shows like smbconf. correct network, smbv2 protocol, idmap 
ranges as expected.

Do we need seperate user/group ranges in samba config?

> Rowland

Lars Schimmer
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723

More information about the samba mailing list