[Samba] Failed to find domain Unix Group

Discussion:

Carlos A. P. Cunha

2016-07-12 19:03:38 UTC

Hello!

My file server is running ubuntu samba 4.3.0 and today started the
problem that my IDs have changed and this caused countless problems.
In the logs I have the following:

Jul 12 15:57:07 samba fileserver winbindd [1141] [07.12.2016 15: 57:
07.605992, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find domain
'Unix Group'. Check connection to trusted domains!
Jul 12 15:57:07 samba fileserver winbindd [1141] [07.12.2016 15: 57:
07.606582, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find domain
'Unix Group'. Check connection to trusted domains!
Jul 12 15:57:07 samba fileserver winbindd [1141] [07.12.2016 15: 57:
07.739510, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find domain
'Unix Group'. Check connection to trusted domains!
Jul 12 15:57:07 samba fileserver winbindd [1141] [07.12.2016 15: 57:
07.743113, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find domain
'Unix Group'. Check connection to trusted domains!

my smb.conf

[global]

netbios name = FILESERVER
workgroup = SERVER
security = ADS

realm = MYDOMAIN
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

idmap config *: backend = tdb
# I changed values for test
idmap config *: range = 100000-9999999
idmap config SERVERAD: backend = rid
# I changed values for test
idmap config SERVERAD: range = 1000000000 to 9999999999
idmap_ldb: use RFC2307 = Yes

winbind nss info = RFC2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind cache time = 10

# Needed for Fileserver
vfs objects = acl_xattr
map acl inherit = Yes
store the attributes = Yes

# Disable Cups
load printers = no
printing = bsd
printcap name = / dev / null
spoolss disable = yes

I think the problem is that the ID are conflicting with the system:

id user01
uid = 11458 (user01) gid = 10513 (domain users) groups = 10513 (domain
users), 11458 (user01), 18249 (almox_grupo), 5001 (BUILTIN \ users)

Thanks!!

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-07-12 19:34:48 UTC

Permalink

Hello!
My User is only in AD, the passwd see some User (system) with high GID
in the same range of Samba

Example:
statd: x: 108: 65534 :: / var / lib / nfs: / bin / false

My fear is that change again and lose everything again permissions,
which had to redo everything ...

Thank you

Post by Carlos A. P. Cunha
Hello!
My file server is running ubuntu samba 4.3.0 and today started the
problem that my IDs have changed and this caused countless problems.
07.605992, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find
domain 'Unix Group'. Check connection to trusted domains!
07.606582, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find
domain 'Unix Group'. Check connection to trusted domains!
07.739510, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find
domain 'Unix Group'. Check connection to trusted domains!
07.743113, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find
domain 'Unix Group'. Check connection to trusted domains!
my smb.conf
[global]
netbios name = FILESERVER
workgroup = SERVER
security = ADS
realm = MYDOMAIN
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *: backend = tdb
# I changed values for test
idmap config *: range = 100000-9999999
idmap config SERVERAD: backend = rid
# I changed values for test
idmap config SERVERAD: range = 1000000000 to 9999999999
idmap_ldb: use RFC2307 = Yes
winbind nss info = RFC2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind cache time = 10
# Needed for Fileserver
vfs objects = acl_xattr
map acl inherit = Yes
store the attributes = Yes
# Disable Cups
load printers = no
printing = bsd
printcap name = / dev / null
spoolss disable = yes
id user01
uid = 11458 (user01) gid = 10513 (domain users) groups = 10513
(domain users), 11458 (user01), 18249 (almox_grupo), 5001 (BUILTIN \
users)
Thanks!!

Hi, your 'id' command is showing this: uid = 11458(user01) and groups
= 11458(user01)
How is this occurring ?
Do you have a user or group called 'user01' in AD that is also in
/etc/passwd ?
If this is the case, you need to decide which one to keep and delete
the other, users/groups cannot exist in AD and /etc/passwd.
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-07-12 20:01:59 UTC

Permalink

Hello!
I see what you mean, but it seems that all my User is this: Example:

id suporteti
uid = 11575 (suporteti) gid = 10513 (domain users) groups = 10513
(domain users), 11575 (suporteti), 5001 (BUILTIN \ users)

id consinco
uid = 12982 (consinco) gid = 10513 (domain users) groups = 10513 (domain
users), 12982 (consinco), 5001 (BUILTIN \ users)

In my DC the output of id:

id suporteti
uid = 3000515 (SERVER\ suporteti) gid = 100 (users) groups = 100
(users), 3000515 (SERVER \ suporteti), 3,000,001 (BUILTIN \ users)

id consinco
uid = 3000516 (SERVER \ consinco) gid = 100 (users) groups = 100
(users), 3000516 (SERVER \ consinco), 3,000,001 (BUILTIN \ users)

Yes, all my User IDs have changed ...

:-(

Google Tradutor para empresas:Google Toolkit de tradução para apps
<http://www.google.com.br/url?rs=rsmf&q=http://translate.google.com/toolkit%3Fhl%3Dpt-BR>Tradutor
de sites
<http://www.google.com.br/url?rs=rsmf&q=http://translate.google.com/manager/website/%3Fhl%3Dpt-BR>Global
Market Finder
<http://www.google.com.br/url?rs=rsmf&q=http://translate.google.com/globalmarketfinder/%3Flocale%3Dpt-BR>

Post by Carlos A. P. Cunha
id user01
uid = 11458 (user01) gid = 10513 (domain users) groups = 10513 (domain
users), 11458 (user01), 18249 (almox_grupo), 5001 (BUILTIN \ users)
uid=10000(rowland) gid=10000(domain_users)
groups=10000(domain_users),102(netdev),2001(BUILTIN\users)
Notice the big difference, I do not have a private group like
'user01', where is your users private group coming from ?
You also seem to be bothered by the user/group '65534', this is the
Unix user/group nobody/nogroup and is only worth bothering about if
and when you get to the AD user/group 65534.
Or am I totally missing the point and all your AD users have changed
ID number ?

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-07-12 20:44:17 UTC

Permalink

Hello!
Sorry for the confusion this where SERVER is SERVERAD(right)
At the time this all to work, but still followed the message! Errors in
logs.
And I'm afraid to change again.

: - |

OK, you posted your smb.conf from your fileserver, it contained these
workgroup = SERVER
and
idmap config SERVERAD: backend = rid
# I changed values for test
idmap config SERVERAD: range = 1000000000 to 9999999999
I understand you changed the workgroup to post your smb.conf, but are
the actual names for 'SERVER' and 'SERVERAD' the same in your
smb.conf, because they should be.
This doesn't explain why you are getting private groups, could you
check your AD to see if the groups exist.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-07-12 20:46:08 UTC

Permalink

Note: This working because I had to change all the permissions and the
files were left with various "waste" of old permissions.

Thanks

Post by Carlos A. P. Cunha
Hello!
Sorry for the confusion this where SERVER is SERVERAD(right)
At the time this all to work, but still followed the message! Errors
in logs.
And I'm afraid to change again.
: - |

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-07-12 20:56:50 UTC

Permalink

Note2:At about 5 days upgraded my DC for Samba 4.4.5, but my I went in
version 4.3.

Thanks

Post by Carlos A. P. Cunha
Note: This working because I had to change all the permissions and the
files were left with various "waste" of old permissions.
Thanks

OK, you posted your smb.conf from your fileserver, it contained
workgroup = SERVER
and
idmap config SERVERAD: backend = rid
# I changed values for test
idmap config SERVERAD: range = 1000000000 to 9999999999
I understand you changed the workgroup to post your smb.conf, but
are the actual names for 'SERVER' and 'SERVERAD' the same in your
smb.conf, because they should be.
This doesn't explain why you are getting private groups, could you
check your AD to see if the groups exist.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-07-12 21:18:37 UTC

Permalink

I am using internal Samba winbind

Changes in the values of IDS Rid, may have caused this?

Thanks

Post by Carlos A. P. Cunha
Note: This working because I had to change all the permissions and
the files were left with various "waste" of old permissions.
Thanks

I don't understand how your users/groups changed their IDs, on the DC
RIDs are mapped and stored in idmap.ldb, you are also using the
winbind 'rid' backend and again, the user/group IDs are mapped from
ID = RID - BASE_RID + LOW_RANGE_ID
ID = RID + LOW_RANGE_ID
So unless you changed the range in smb.conf, your user/group IDs
shouldn't change.
I still don't understand where your private groups are coming from,
unless, are you running sssd or nlscd as well as winbindd ??
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Data Control Systems - Mike Elkevizth

2016-07-12 21:26:46 UTC

Permalink

I had the same (or similar) issue on my DCs with the gid being 100 and the
uids being in the 3000000 range. I'm not sure if you've already set these
in your smb.conf, but the relevant section in mine is:

idmap_ldb:use rfc2307 = yes
template shell = /bin/bash #only needed so AD users can log into the DC
locally
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

I also have to use the command 'net cache flush' on a semi-regular basis (I
run it via a cron job), or it seems that the DCs will eventually revert
back to the incorrect mappings. I'm guessing that what happens is that
winbind checks for the rfc2307 value and for some reason it doesn't get a
response and then it adds an entry into the idmap.ldb file. Winbind then
seems to prefer the idmap.ldb entry over the rfc2307 values. I'm not sure
about all the details, but it works for me.

Mike E.

Post by Carlos A. P. Cunha
Note: This working because I had to change all the permissions and the
files were left with various "waste" of old permissions.
Thanks

OK, you posted your smb.conf from your fileserver, it contained these
workgroup = SERVER
and
idmap config SERVERAD: backend = rid
# I changed values for test
idmap config SERVERAD: range = 1000000000 to 9999999999
I understand you changed the workgroup to post your smb.conf, but are
the actual names for 'SERVER' and 'SERVERAD' the same in your smb.conf,
because they should be.
This doesn't explain why you are getting private groups, could you
check your AD to see if the groups exist.

I don't understand how your users/groups changed their IDs, on the DC RIDs
are mapped and stored in idmap.ldb, you are also using the winbind 'rid'
backend and again, the user/group IDs are mapped from the RID by the
ID = RID - BASE_RID + LOW_RANGE_ID
ID = RID + LOW_RANGE_ID
So unless you changed the range in smb.conf, your user/group IDs shouldn't
change.
I still don't understand where your private groups are coming from,
unless, are you running sssd or nlscd as well as winbindd ??
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-07-13 02:20:52 UTC

Permalink

This post might be inappropriate. Click to display it.

Data Control Systems - Mike Elkevizth

2016-07-13 02:48:03 UTC

Permalink

I forgot to mention in the previous post, I do not have any of the "idmap
config" parameters in the smb.conf on any of the DCs. I only use those
parameters on member servers. I would try commenting those out on your
DC(s) and restarting samba and see if that helps.

Mike E.

On Tue, Jul 12, 2016 at 10:20 PM, Carlos A. P. Cunha <

Post by Carlos A. P. Cunha
Can return old id, returning the old values (changed the most at least
two months)
idmap config *: backend = tdb
idmap config *:range = 5000-16777216
idmap config SERVERAD: backend = rid
idmap config SERVERAD: range = 5000-33554431
The error parrou also, but I think the fact that a group with the same ID
/ GID if the User to the fact that the idmap values be crossing, even so
I changed them ( mentioned above)
Thank you
I had the same (or similar) issue on my DCs with the gid being 100 and the
uids being in the 3000000 range. I'm not sure if you've already set these
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash #only needed so AD users can log into the DC
locally
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
I also have to use the command 'net cache flush' on a semi-regular basis
(I run it via a cron job), or it seems that the DCs will eventually revert
back to the incorrect mappings. I'm guessing that what happens is that
winbind checks for the rfc2307 value and for some reason it doesn't get a
response and then it adds an entry into the idmap.ldb file. Winbind then
seems to prefer the idmap.ldb entry over the rfc2307 values. I'm not sure
about all the details, but it works for me.
Mike E.

Post by Carlos A. P. Cunha
Note: This working because I had to change all the permissions and the
files were left with various "waste" of old permissions.
Thanks

OK, you posted your smb.conf from your fileserver, it contained these
workgroup = SERVER
and
idmap config SERVERAD: backend = rid
# I changed values for test
idmap config SERVERAD: range = 1000000000 to 9999999999
I understand you changed the workgroup to post your smb.conf, but are
the actual names for 'SERVER' and 'SERVERAD' the same in your smb.conf,
because they should be.
This doesn't explain why you are getting private groups, could you
check your AD to see if the groups exist.

I don't understand how your users/groups changed their IDs, on the DC
RIDs are mapped and stored in idmap.ldb, you are also using the winbind
'rid' backend and again, the user/group IDs are mapped from the RID by the
ID = RID - BASE_RID + LOW_RANGE_ID
ID = RID + LOW_RANGE_ID
So unless you changed the range in smb.conf, your user/group IDs
shouldn't change.
I still don't understand where your private groups are coming from,
unless, are you running sssd or nlscd as well as winbindd ??
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-07-13 02:50:35 UTC

Permalink

This post might be inappropriate. Click to display it.

Carlos A. P. Cunha

2016-07-13 12:33:21 UTC

Permalink

I got it, so it must have been the problem ..
Strange that changed it more than one month at least.
Having these values now, how do you think I do?
Leave it or change at least the idmap config * values: range?

I understand the parameters:

idmap config *: range = Range of the Ids are User system

idmap config SERVERAD: range: DC User Range

Thank you

Do not change the lower range value on a Samba fileserver once set,
you can raise the upper value, but there is a proviso, the ranges must
not overlap. This means your lines above are invalid, they both start
at '5000' and the entire '*' range is inside the 'SERVERAD' range.
If you change the lower range and you are using the 'rid' backend, all
your IDs will change.
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-07-13 13:52:08 UTC

Permalink

Thank you for the explanation.
Yes, it was a mistake to leave my two faxias that way, by the ID
exchange reason the low range will leave as it was to have no problems
idmap config SERVERAD: range = 5000-33554431

The range of up'm thinking of changing to something
idmap config *: range = 2000-4500

Not to be superimposed.

But it will it not cause problem ids trading again? Since it was before
both inciado in 50000

The procimo server will not make this mistake.

Final doubt, I promise heheh :-D

Thanks

Post by Carlos A. P. Cunha
I got it, so it must have been the problem ..
Strange that changed it more than one month at least.
Having these values now, how do you think I do?
Leave it or change at least the idmap config * values: range?
idmap config *: range = Range of the Ids are User system
idmap config SERVERAD: range: DC User Range
Thank you

Do not change the lower range value on a Samba fileserver once set,
you can raise the upper value, but there is a proviso, the ranges
must not overlap. This means your lines above are invalid, they both
start at '5000' and the entire '*' range is inside the 'SERVERAD' range.
If you change the lower range and you are using the 'rid' backend,
all your IDs will change.
Rowland

OK, you need to find out just who owns what on your systems, if you
find that something belongs to a number or to a user that it
shouldn't, then you have problems.
If you look on the Samba wiki page for setting up a domain member, you
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
The ranges were chosen for a reason, the '*' range '2000-9999' is
large enough for any windows SID-RIDS that need mapping and leaves
room below the range for any local Unix users that may be required.
The domain range starts at '10000', this is also the standard start
number if you use ADUC & the Unix Attributes tab. If needed, the range
can be extended by raising '99999' to whatever is required, this can
be done whenever required, just don't change '10000'
If practicable, you could use the above ranges, but if it takes less
work to keep the ranges you are using now, then stay with them, what I
am trying to say is, go with whatever is easiest, just make sure that
ranges do not overlap.
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-07-14 12:32:55 UTC

Permalink

Hello!
Any opinion on that?
Thank you

Post by Carlos A. P. Cunha
Thank you for the explanation.
Yes, it was a mistake to leave my two faxias that way, by the ID
exchange reason the low range will leave as it was to have no problems
idmap config SERVERAD: range = 5000-33554431
The range of up'm thinking of changing to something
idmap config *: range = 2000-4500
Not to be superimposed.
But it will it not cause problem ids trading again? Since it was
before both inciado in 50000
The procimo server will not make this mistake.
Final doubt, I promise heheh :-D
Thanks

Do not change the lower range value on a Samba fileserver once set,
you can raise the upper value, but there is a proviso, the ranges
must not overlap. This means your lines above are invalid, they
both start at '5000' and the entire '*' range is inside the
'SERVERAD' range.
If you change the lower range and you are using the 'rid' backend,
all your IDs will change.
Rowland

OK, you need to find out just who owns what on your systems, if you
find that something belongs to a number or to a user that it
shouldn't, then you have problems.
If you look on the Samba wiki page for setting up a domain member,
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
The ranges were chosen for a reason, the '*' range '2000-9999' is
large enough for any windows SID-RIDS that need mapping and leaves
room below the range for any local Unix users that may be required.
The domain range starts at '10000', this is also the standard start
number if you use ADUC & the Unix Attributes tab. If needed, the
range can be extended by raising '99999' to whatever is required,
this can be done whenever required, just don't change '10000'
If practicable, you could use the above ranges, but if it takes less
work to keep the ranges you are using now, then stay with them, what
I am trying to say is, go with whatever is easiest, just make sure
that ranges do not overlap.
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-07-14 13:16:53 UTC

Permalink

Hello!! Hehehe
Then, as already changed the values and problem had my idei and leave
everything as it was, the two

idmap config *: range = 5000-16777216
idmap config SERVERAD: range = 5000-33554431

It is running more than one year and occurred only problems that I
changed, I know the right and leave the range as you passed, but I can
not have the ID change issues again (caused much headache).

So I was in doubt even if the only change
idmap config *: range =
to a lower value as 2000-4500, which impacts can I have?
Since this is not the range of DC User.

Thank you again.

Post by Carlos A. P. Cunha
Hello!
Any opinion on that?
Thank you

Do not change the lower range value on a Samba fileserver once
set, you can raise the upper value, but there is a proviso, the
ranges must not overlap. This means your lines above are invalid,
they both start at '5000' and the entire '*' range is inside the
'SERVERAD' range.
If you change the lower range and you are using the 'rid'
backend, all your IDs will change.
Rowland

OK, you need to find out just who owns what on your systems, if you
find that something belongs to a number or to a user that it
shouldn't, then you have problems.
If you look on the Samba wiki page for setting up a domain member,
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
The ranges were chosen for a reason, the '*' range '2000-9999' is
large enough for any windows SID-RIDS that need mapping and leaves
room below the range for any local Unix users that may be required.
The domain range starts at '10000', this is also the standard start
number if you use ADUC & the Unix Attributes tab. If needed, the
range can be extended by raising '99999' to whatever is required,
this can be done whenever required, just don't change '10000'
If practicable, you could use the above ranges, but if it takes
less work to keep the ranges you are using now, then stay with
them, what I am trying to say is, go with whatever is easiest, just
make sure that ranges do not overlap.
Rowland

Sorry, didn't realise you were asking a question :-[
As long as the ranges do not overlap and you can work around any
possible problems (note: I am not saying you will have problems, but
possibly may have problems), then, the range you suggest will work.
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-07-15 12:53:56 UTC

Permalink

Hello!

I changed to

idmap config *: range = 2000-4500

The BUILTIN:

uid=5500(administrator) gid=5513(domain users) groups=5513(domain
users),5500(administrator),5520(group policy creator
owners),5519(enterprise admins),9130(servad-1 $ acronis remote
users),6530(kladmins),5518(schema admins),5512(domain
admins),*2001(BUILTIN\users),2000(BUILTIN\administrators)*

I think this will get better then, so do not have overlapping values

Post by Carlos A. P. Cunha
Hello!! Hehehe
Then, as already changed the values and problem had my idei and leave
everything as it was, the two
idmap config *: range = 5000-16777216
idmap config SERVERAD: range = 5000-33554431
It is running more than one year and occurred only problems that I
changed, I know the right and leave the range as you passed, but I can
not have the ID change issues again (caused much headache).
So I was in doubt even if the only change
idmap config *: range =
to a lower value as 2000-4500, which impacts can I have?
Since this is not the range of DC User.
Thank you again.

Post by Carlos A. P. Cunha
Hello!
Any opinion on that?
Thank you

Do not change the lower range value on a Samba fileserver once
set, you can raise the upper value, but there is a proviso, the
ranges must not overlap. This means your lines above are
invalid, they both start at '5000' and the entire '*' range is
inside the 'SERVERAD' range.
If you change the lower range and you are using the 'rid'
backend, all your IDs will change.
Rowland

OK, you need to find out just who owns what on your systems, if
you find that something belongs to a number or to a user that it
shouldn't, then you have problems.
If you look on the Samba wiki page for setting up a domain member,
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
The ranges were chosen for a reason, the '*' range '2000-9999' is
large enough for any windows SID-RIDS that need mapping and leaves
room below the range for any local Unix users that may be
required. The domain range starts at '10000', this is also the
standard start number if you use ADUC & the Unix Attributes tab.
If needed, the range can be extended by raising '99999' to
whatever is required, this can be done whenever required, just
don't change '10000'
If practicable, you could use the above ranges, but if it takes
less work to keep the ranges you are using now, then stay with
them, what I am trying to say is, go with whatever is easiest,
just make sure that ranges do not overlap.
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Continue reading on narkive:

Search results for '[Samba] Failed to find domain Unix Group' (Questions and Answers)

replies

what's the difference between ip address and domain name?

started 2006-03-21 08:04:55 UTC

internet

replies

Why won't some people give Windows 7 a chance?

started 2009-11-13 15:48:18 UTC

software

replies