Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Failed to find domain Unix Group
859 views
Skip to first unread message
Carlos A. P. Cunha
Jul 12, 2016, 3:10:04 PM7/12/16
to
Hello!
My file server is running ubuntu samba 4.3.0 and today started the
problem that my IDs have changed and this caused countless problems.
In the logs I have the following:
Jul 12 15:57:07 samba fileserver winbindd [1141] [07.12.2016 15: 57:
07.605992, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find domain
'Unix Group'. Check connection to trusted domains!
Jul 12 15:57:07 samba fileserver winbindd [1141] [07.12.2016 15: 57:
07.606582, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find domain
'Unix Group'. Check connection to trusted domains!
Jul 12 15:57:07 samba fileserver winbindd [1141] [07.12.2016 15: 57:
07.739510, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find domain
'Unix Group'. Check connection to trusted domains!
Jul 12 15:57:07 samba fileserver winbindd [1141] [07.12.2016 15: 57:
07.743113, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find domain
'Unix Group'. Check connection to trusted domains!
my smb.conf
[global]
netbios name = FILESERVER
workgroup = SERVER
security = ADS
realm = MYDOMAIN
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *: backend = tdb
# I changed values ​​for test
idmap config *: range = 100000-9999999
idmap config SERVERAD: backend = rid
# I changed values ​​for test
idmap config SERVERAD: range = 1000000000 to 9999999999
idmap_ldb: use RFC2307 = Yes
winbind nss info = RFC2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind cache time = 10
# Needed for Fileserver
vfs objects = acl_xattr
map acl inherit = Yes
store the attributes = Yes
# Disable Cups
load printers = no
printing = bsd
printcap name = / dev / null
spoolss disable = yes
I think the problem is that the ID are conflicting with the system:
id user01
uid = 11458 (user01) gid = 10513 (domain users) groups = 10513 (domain
users), 11458 (user01), 18249 (almox_grupo), 5001 (BUILTIN \ users)
Thanks!!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
My file server is running ubuntu samba 4.3.0 and today started the
problem that my IDs have changed and this caused countless problems.
In the logs I have the following:
Jul 12 15:57:07 samba fileserver winbindd [1141] [07.12.2016 15: 57:
07.605992, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find domain
'Unix Group'. Check connection to trusted domains!
Jul 12 15:57:07 samba fileserver winbindd [1141] [07.12.2016 15: 57:
07.606582, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find domain
'Unix Group'. Check connection to trusted domains!
Jul 12 15:57:07 samba fileserver winbindd [1141] [07.12.2016 15: 57:
07.739510, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find domain
'Unix Group'. Check connection to trusted domains!
Jul 12 15:57:07 samba fileserver winbindd [1141] [07.12.2016 15: 57:
07.743113, 0] ../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 12 15:57:07 samba fileserver winbindd [1141]: Failed to find domain
'Unix Group'. Check connection to trusted domains!
my smb.conf
[global]
netbios name = FILESERVER
workgroup = SERVER
security = ADS
realm = MYDOMAIN
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *: backend = tdb
# I changed values ​​for test
idmap config *: range = 100000-9999999
idmap config SERVERAD: backend = rid
# I changed values ​​for test
idmap config SERVERAD: range = 1000000000 to 9999999999
idmap_ldb: use RFC2307 = Yes
winbind nss info = RFC2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind cache time = 10
# Needed for Fileserver
vfs objects = acl_xattr
map acl inherit = Yes
store the attributes = Yes
# Disable Cups
load printers = no
printing = bsd
printcap name = / dev / null
spoolss disable = yes
I think the problem is that the ID are conflicting with the system:
id user01
uid = 11458 (user01) gid = 10513 (domain users) groups = 10513 (domain
users), 11458 (user01), 18249 (almox_grupo), 5001 (BUILTIN \ users)
Thanks!!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
Jul 12, 2016, 3:30:03 PM7/12/16
to
11458(user01)
How is this occurring ?
Do you have a user or group called 'user01' in AD that is also in
/etc/passwd ?
If this is the case, you need to decide which one to keep and delete the
other, users/groups cannot exist in AD and /etc/passwd.
Rowland
Carlos A. P. Cunha
Jul 12, 2016, 3:40:03 PM7/12/16
to
Hello!
My User is only in AD, the passwd see some User (system) with high GID
in the same range of Samba
Example:
statd: x: 108: 65534 :: / var / lib / nfs: / bin / false
My fear is that change again and lose everything again permissions,
which had to redo everything ...
Thank you
My User is only in AD, the passwd see some User (system) with high GID
in the same range of Samba
Example:
statd: x: 108: 65534 :: / var / lib / nfs: / bin / false
My fear is that change again and lose everything again permissions,
which had to redo everything ...
Thank you
Rowland penny
Jul 12, 2016, 4:00:03 PM7/12/16
to
On 12/07/16 20:34, Carlos A. P. Cunha wrote:
>
> Hello!
>
> Hello!
> My User is only in AD, the passwd see some User (system) with high GID
> in the same range of Samba
>
> Example:
> statd: x: 108: 65534 :: / var / lib / nfs: / bin / false
>
> My fear is that change again and lose everything again permissions,
> which had to redo everything ...
>
> Thank you
>
>
you posted:
> in the same range of Samba
>
> Example:
> statd: x: 108: 65534 :: / var / lib / nfs: / bin / false
>
> My fear is that change again and lose everything again permissions,
> which had to redo everything ...
>
> Thank you
>
>
id user01
uid = 11458 (user01) gid = 10513 (domain users) groups = 10513 (domain
users), 11458 (user01), 18249 (almox_grupo), 5001 (BUILTIN \ users)
rowland@devstation:~$ id rowland
uid=10000(rowland) gid=10000(domain_users)
groups=10000(domain_users),102(netdev),2001(BUILTIN\users)
Notice the big difference, I do not have a private group like 'user01',
where is your users private group coming from ?
You also seem to be bothered by the user/group '65534', this is the Unix
user/group nobody/nogroup and is only worth bothering about if and when
you get to the AD user/group 65534.
Or am I totally missing the point and all your AD users have changed ID
number ?
Carlos A. P. Cunha
Jul 12, 2016, 4:10:03 PM7/12/16
to
Hello!
I see what you mean, but it seems that all my User is this: Example:
id suporteti
uid = 11575 (suporteti) gid = 10513 (domain users) groups = 10513
(domain users), 11575 (suporteti), 5001 (BUILTIN \ users)
id consinco
uid = 12982 (consinco) gid = 10513 (domain users) groups = 10513 (domain
users), 12982 (consinco), 5001 (BUILTIN \ users)
In my DC the output of id:
id suporteti
uid = 3000515 (SERVER\ suporteti) gid = 100 (users) groups = 100
(users), 3000515 (SERVER \ suporteti), 3,000,001 (BUILTIN \ users)
id consinco
uid = 3000516 (SERVER \ consinco) gid = 100 (users) groups = 100
(users), 3000516 (SERVER \ consinco), 3,000,001 (BUILTIN \ users)
Yes, all my User IDs have changed ...
:-(
Google Tradutor para empresas:Google Toolkit de tradução para apps
<http://www.google.com.br/url?rs=rsmf&q=http://translate.google.com/toolkit%3Fhl%3Dpt-BR>Tradutor
de sites
<http://www.google.com.br/url?rs=rsmf&q=http://translate.google.com/manager/website/%3Fhl%3Dpt-BR>Global
Market Finder
<http://www.google.com.br/url?rs=rsmf&q=http://translate.google.com/globalmarketfinder/%3Flocale%3Dpt-BR>
Em 12-07-2016 16:48, Rowland penny escreveu:
> you posted:
>
> id user01
> uid = 11458 (user01) gid = 10513 (domain users) groups = 10513 (domain
> users), 11458 (user01), 18249 (almox_grupo), 5001 (BUILTIN \ users)
>
> if I check my id:
>
> rowland@devstation:~$ id rowland
> uid=10000(rowland) gid=10000(domain_users)
> groups=10000(domain_users),102(netdev),2001(BUILTIN\users)
>
> Notice the big difference, I do not have a private group like
> 'user01', where is your users private group coming from ?
>
> You also seem to be bothered by the user/group '65534', this is the
> Unix user/group nobody/nogroup and is only worth bothering about if
> and when you get to the AD user/group 65534.
>
> Or am I totally missing the point and all your AD users have changed
> ID number ?
I see what you mean, but it seems that all my User is this: Example:
id suporteti
uid = 11575 (suporteti) gid = 10513 (domain users) groups = 10513
(domain users), 11575 (suporteti), 5001 (BUILTIN \ users)
id consinco
uid = 12982 (consinco) gid = 10513 (domain users) groups = 10513 (domain
users), 12982 (consinco), 5001 (BUILTIN \ users)
In my DC the output of id:
id suporteti
uid = 3000515 (SERVER\ suporteti) gid = 100 (users) groups = 100
(users), 3000515 (SERVER \ suporteti), 3,000,001 (BUILTIN \ users)
id consinco
uid = 3000516 (SERVER \ consinco) gid = 100 (users) groups = 100
(users), 3000516 (SERVER \ consinco), 3,000,001 (BUILTIN \ users)
Yes, all my User IDs have changed ...
:-(
Google Tradutor para empresas:Google Toolkit de tradução para apps
<http://www.google.com.br/url?rs=rsmf&q=http://translate.google.com/toolkit%3Fhl%3Dpt-BR>Tradutor
de sites
<http://www.google.com.br/url?rs=rsmf&q=http://translate.google.com/manager/website/%3Fhl%3Dpt-BR>Global
Market Finder
<http://www.google.com.br/url?rs=rsmf&q=http://translate.google.com/globalmarketfinder/%3Flocale%3Dpt-BR>
Em 12-07-2016 16:48, Rowland penny escreveu:
> you posted:
>
> id user01
> uid = 11458 (user01) gid = 10513 (domain users) groups = 10513 (domain
> users), 11458 (user01), 18249 (almox_grupo), 5001 (BUILTIN \ users)
>
> if I check my id:
>
> rowland@devstation:~$ id rowland
> uid=10000(rowland) gid=10000(domain_users)
> groups=10000(domain_users),102(netdev),2001(BUILTIN\users)
>
> Notice the big difference, I do not have a private group like
> 'user01', where is your users private group coming from ?
>
> You also seem to be bothered by the user/group '65534', this is the
> Unix user/group nobody/nogroup and is only worth bothering about if
> and when you get to the AD user/group 65534.
>
> Or am I totally missing the point and all your AD users have changed
> ID number ?
Carlos A. P. Cunha
Jul 12, 2016, 4:50:02 PM7/12/16
to
Hello!
Sorry for the confusion this where SERVER is SERVERAD(right)
At the time this all to work, but still followed the message! Errors in
logs.
And I'm afraid to change again.
: - |
Em 12-07-2016 17:40, Rowland penny escreveu:
> OK, you posted your smb.conf from your fileserver, it contained these
> lines:
>
> workgroup = SERVER
>
> and
> the actual names for 'SERVER' and 'SERVERAD' the same in your
> smb.conf, because they should be.
>
> This doesn't explain why you are getting private groups, could you
> check your AD to see if the groups exist.
Sorry for the confusion this where SERVER is SERVERAD(right)
At the time this all to work, but still followed the message! Errors in
logs.
And I'm afraid to change again.
: - |
Em 12-07-2016 17:40, Rowland penny escreveu:
> OK, you posted your smb.conf from your fileserver, it contained these
> lines:
>
> workgroup = SERVER
>
> and
>
> idmap config SERVERAD: backend = rid
> # I changed values ​​for test
> idmap config SERVERAD: range = 1000000000 to 9999999999
>
> I understand you changed the workgroup to post your smb.conf, but are
> idmap config SERVERAD: backend = rid
> # I changed values ​​for test
> idmap config SERVERAD: range = 1000000000 to 9999999999
>
> the actual names for 'SERVER' and 'SERVERAD' the same in your
> smb.conf, because they should be.
>
> This doesn't explain why you are getting private groups, could you
> check your AD to see if the groups exist.
Carlos A. P. Cunha
Jul 12, 2016, 4:50:03 PM7/12/16
to
Note: This working because I had to change all the permissions and the
files were left with various "waste" of old permissions.
Thanks
files were left with various "waste" of old permissions.
Thanks
Rowland penny
Jul 12, 2016, 4:50:03 PM7/12/16
to
On 12/07/16 21:01, Carlos A. P. Cunha wrote:
>
> Hello!
> I see what you mean, but it seems that all my User is this: Example:
>
> id suporteti
> uid = 11575 (suporteti) gid = 10513 (domain users) groups = 10513
> (domain users), 11575 (suporteti), 5001 (BUILTIN \ users)
>
> id consinco
> uid = 12982 (consinco) gid = 10513 (domain users) groups = 10513
> (domain users), 12982 (consinco), 5001 (BUILTIN \ users)
>
>
>
> In my DC the output of id:
>
>
> id suporteti
> uid = 3000515 (SERVER\ suporteti) gid = 100 (users) groups = 100
> (users), 3000515 (SERVER \ suporteti), 3,000,001 (BUILTIN \ users)
>
> id consinco
> uid = 3000516 (SERVER \ consinco) gid = 100 (users) groups = 100
> (users), 3000516 (SERVER \ consinco), 3,000,001 (BUILTIN \ users)
>
>
>
> Yes, all my User IDs have changed ...
>
> :-(
>
>
>
> Hello!
> I see what you mean, but it seems that all my User is this: Example:
>
> id suporteti
> uid = 11575 (suporteti) gid = 10513 (domain users) groups = 10513
> (domain users), 11575 (suporteti), 5001 (BUILTIN \ users)
>
> id consinco
> uid = 12982 (consinco) gid = 10513 (domain users) groups = 10513
> (domain users), 12982 (consinco), 5001 (BUILTIN \ users)
>
>
>
> In my DC the output of id:
>
>
> id suporteti
> uid = 3000515 (SERVER\ suporteti) gid = 100 (users) groups = 100
> (users), 3000515 (SERVER \ suporteti), 3,000,001 (BUILTIN \ users)
>
> id consinco
> uid = 3000516 (SERVER \ consinco) gid = 100 (users) groups = 100
> (users), 3000516 (SERVER \ consinco), 3,000,001 (BUILTIN \ users)
>
>
>
> Yes, all my User IDs have changed ...
>
> :-(
>
>
OK, you posted your smb.conf from your fileserver, it contained these lines:
workgroup = SERVER
and
workgroup = SERVER
and
idmap config SERVERAD: backend = rid
# I changed values ​​for test
idmap config SERVERAD: range = 1000000000 to 9999999999
# I changed values ​​for test
idmap config SERVERAD: range = 1000000000 to 9999999999
I understand you changed the workgroup to post your smb.conf, but are
the actual names for 'SERVER' and 'SERVERAD' the same in your smb.conf,
because they should be.
This doesn't explain why you are getting private groups, could you check
your AD to see if the groups exist.
Rowland
the actual names for 'SERVER' and 'SERVERAD' the same in your smb.conf,
because they should be.
This doesn't explain why you are getting private groups, could you check
your AD to see if the groups exist.
Carlos A. P. Cunha
Jul 12, 2016, 5:00:05 PM7/12/16
to
Note2:At about 5 days upgraded my DC for Samba 4.4.5, but my I went in
version 4.3.
Thanks
version 4.3.
Thanks
Rowland penny
Jul 12, 2016, 5:10:02 PM7/12/16
to
On 12/07/16 21:46, Carlos A. P. Cunha wrote:
>
> Note: This working because I had to change all the permissions and the
> files were left with various "waste" of old permissions.
>
>
> Thanks
>
>
> Em 12-07-2016 17:44, Carlos A. P. Cunha escreveu:
>>
>> Hello!
>> Sorry for the confusion this where SERVER is SERVERAD(right)
>> At the time this all to work, but still followed the message! Errors
>> in logs.
>> And I'm afraid to change again.
>>
>> : - |
>>
>>
>> Em 12-07-2016 17:40, Rowland penny escreveu:
>>> OK, you posted your smb.conf from your fileserver, it contained
>>> these lines:
>>>
>>> workgroup = SERVER
>>>
>>> and
>>>
>>> idmap config SERVERAD: backend = rid
>>> # I changed values ​​for test
>>> idmap config SERVERAD: range = 1000000000 to 9999999999
>>>
>>> I understand you changed the workgroup to post your smb.conf, but
>>> are the actual names for 'SERVER' and 'SERVERAD' the same in your
>>> smb.conf, because they should be.
>>>
>>> This doesn't explain why you are getting private groups, could you
>>> check your AD to see if the groups exist.
>>
>
I don't understand how your users/groups changed their IDs, on the DC
>
> Note: This working because I had to change all the permissions and the
> files were left with various "waste" of old permissions.
>
>
> Thanks
>
>
> Em 12-07-2016 17:44, Carlos A. P. Cunha escreveu:
>>
>> Hello!
>> Sorry for the confusion this where SERVER is SERVERAD(right)
>> At the time this all to work, but still followed the message! Errors
>> in logs.
>> And I'm afraid to change again.
>>
>> : - |
>>
>>
>> Em 12-07-2016 17:40, Rowland penny escreveu:
>>> OK, you posted your smb.conf from your fileserver, it contained
>>> these lines:
>>>
>>> workgroup = SERVER
>>>
>>> and
>>>
>>> idmap config SERVERAD: backend = rid
>>> # I changed values ​​for test
>>> idmap config SERVERAD: range = 1000000000 to 9999999999
>>>
>>> I understand you changed the workgroup to post your smb.conf, but
>>> are the actual names for 'SERVER' and 'SERVERAD' the same in your
>>> smb.conf, because they should be.
>>>
>>> This doesn't explain why you are getting private groups, could you
>>> check your AD to see if the groups exist.
>>
>
RIDs are mapped and stored in idmap.ldb, you are also using the winbind
'rid' backend and again, the user/group IDs are mapped from the RID by
the algorithm:
ID = RID - BASE_RID + LOW_RANGE_ID
The BASE_RID is '0' so this becomes:
ID = RID + LOW_RANGE_ID
So unless you changed the range in smb.conf, your user/group IDs
shouldn't change.
I still don't understand where your private groups are coming from,
unless, are you running sssd or nlscd as well as winbindd ??
Rowland
Data Control Systems - Mike Elkevizth
Jul 12, 2016, 5:30:02 PM7/12/16
to
I had the same (or similar) issue on my DCs with the gid being 100 and the
uids being in the 3000000 range. I'm not sure if you've already set these
in your smb.conf, but the relevant section in mine is:
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash #only needed so AD users can log into the DC
locally
run it via a cron job), or it seems that the DCs will eventually revert
back to the incorrect mappings. I'm guessing that what happens is that
winbind checks for the rfc2307 value and for some reason it doesn't get a
response and then it adds an entry into the idmap.ldb file. Winbind then
seems to prefer the idmap.ldb entry over the rfc2307 values. I'm not sure
about all the details, but it works for me.
Mike E.
uids being in the 3000000 range. I'm not sure if you've already set these
in your smb.conf, but the relevant section in mine is:
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash #only needed so AD users can log into the DC
locally
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
I also have to use the command 'net cache flush' on a semi-regular basis (I
winbind enum users = yes
winbind enum groups = yes
run it via a cron job), or it seems that the DCs will eventually revert
back to the incorrect mappings. I'm guessing that what happens is that
winbind checks for the rfc2307 value and for some reason it doesn't get a
response and then it adds an entry into the idmap.ldb file. Winbind then
seems to prefer the idmap.ldb entry over the rfc2307 values. I'm not sure
about all the details, but it works for me.
Mike E.
Carlos A. P. Cunha
Jul 12, 2016, 5:30:03 PM7/12/16
to
I am using internal Samba winbind
Changes in the values of IDS Rid, may have caused this?
Thanks
Changes in the values of IDS Rid, may have caused this?
Thanks
Carlos A. P. Cunha
Jul 12, 2016, 10:30:02 PM7/12/16
to
Can return old id, returning the old values (changed the most at least
two months)
idmap config *: backend = tdb
idmap config *:range = 5000-16777216
The error parrou also, but I think the fact that a group with the same
ID / GID if the User to the fact that the idmap values be crossing, even
so I changed them (mentioned above)
Thank you
two months)
idmap config *: backend = tdb
idmap config SERVERAD: backend = rid
idmap config SERVERAD: range = 5000-33554431
The error parrou also, but I think the fact that a group with the same
ID / GID if the User to the fact that the idmap values be crossing, even
so I changed them (mentioned above)
Thank you
Data Control Systems - Mike Elkevizth
Jul 12, 2016, 11:00:02 PM7/12/16
to
I forgot to mention in the previous post, I do not have any of the "idmap
config" parameters in the smb.conf on any of the DCs. I only use those
parameters on member servers. I would try commenting those out on your
DC(s) and restarting samba and see if that helps.
Mike E.
On Tue, Jul 12, 2016 at 10:20 PM, Carlos A. P. Cunha <
carlos...@gmail.com> wrote:
> Can return old id, returning the old values (changed the most at least
> two months)
>
> idmap config *: backend = tdb
> idmap config *:range = 5000-16777216
> idmap config SERVERAD: backend = rid
> idmap config SERVERAD: range = 5000-33554431
>
> The error parrou also, but I think the fact that a group with the same ID
> / GID if the User to the fact that the idmap values be crossing, even so
> I changed them ( mentioned above)
config" parameters in the smb.conf on any of the DCs. I only use those
parameters on member servers. I would try commenting those out on your
DC(s) and restarting samba and see if that helps.
Mike E.
On Tue, Jul 12, 2016 at 10:20 PM, Carlos A. P. Cunha <
carlos...@gmail.com> wrote:
> Can return old id, returning the old values (changed the most at least
> two months)
>
> idmap config *: backend = tdb
> idmap config *:range = 5000-16777216
> idmap config SERVERAD: backend = rid
> idmap config SERVERAD: range = 5000-33554431
>
> The error parrou also, but I think the fact that a group with the same ID
> / GID if the User to the fact that the idmap values be crossing, even so
Carlos A. P. Cunha
Jul 12, 2016, 11:00:03 PM7/12/16
to
Hello!
This is in my member in DC will not use these parameters.
Thanks
Em 12-07-2016 23:48, Data Control Systems - Mike Elkevizth escreveu:
> I forgot to mention in the previous post, I do not have any of the
> "idmap config" parameters in the smb.conf on any of the DCs. I only
> use those parameters on member servers. I would try commenting those
> out on your DC(s) and restarting samba and see if that helps.
>
> Mike E.
>
>
> On Tue, Jul 12, 2016 at 10:20 PM, Carlos A. P. Cunha
> <carlos...@gmail.com <mailto:carlos...@gmail.com>> wrote:
>
> Can return old id, returning the old values (changed the most at
> least two months)
>
> idmap config *: backend = tdb
> idmap config *:range = 5000-16777216
> idmap config SERVERAD: backend = rid
> idmap config SERVERAD: range = 5000-33554431
>
> The error parrou also, but I think the fact that a group with the
> same ID / GID if the User to the fact that the idmap values be
> crossing, even so I changed them (mentioned above)
This is in my member in DC will not use these parameters.
Thanks
Em 12-07-2016 23:48, Data Control Systems - Mike Elkevizth escreveu:
> I forgot to mention in the previous post, I do not have any of the
> "idmap config" parameters in the smb.conf on any of the DCs. I only
> use those parameters on member servers. I would try commenting those
> out on your DC(s) and restarting samba and see if that helps.
>
> Mike E.
>
>
> On Tue, Jul 12, 2016 at 10:20 PM, Carlos A. P. Cunha
> <carlos...@gmail.com <mailto:carlos...@gmail.com>> wrote:
>
> Can return old id, returning the old values (changed the most at
> least two months)
>
> idmap config *: backend = tdb
> idmap config *:range = 5000-16777216
> idmap config SERVERAD: backend = rid
> idmap config SERVERAD: range = 5000-33554431
>
> The error parrou also, but I think the fact that a group with the
> same ID / GID if the User to the fact that the idmap values be
Rowland penny
Jul 13, 2016, 4:20:03 AM7/13/16
to
On 13/07/16 03:20, Carlos A. P. Cunha wrote:
>
> Can return old id, returning the old values (changed the most at least
> two months)
>
> idmap config *: backend = tdb
> idmap config *:range = 5000-16777216
> idmap config SERVERAD: backend = rid
> idmap config SERVERAD: range = 5000-33554431
>
> The error parrou also, but I think the fact that a group with the same
> ID / GID if the User to the fact that the idmap values be crossing,
> even so I changed them (mentioned above)
>
> Thank you
>
>
Do not change the lower range value on a Samba fileserver once set, you
>
> Can return old id, returning the old values (changed the most at least
> two months)
>
> idmap config *: backend = tdb
> idmap config *:range = 5000-16777216
> idmap config SERVERAD: backend = rid
> idmap config SERVERAD: range = 5000-33554431
>
> The error parrou also, but I think the fact that a group with the same
> ID / GID if the User to the fact that the idmap values be crossing,
> even so I changed them (mentioned above)
>
> Thank you
>
>
can raise the upper value, but there is a proviso, the ranges must not
overlap. This means your lines above are invalid, they both start at
'5000' and the entire '*' range is inside the 'SERVERAD' range.
If you change the lower range and you are using the 'rid' backend, all
your IDs will change.
Carlos A. P. Cunha
Jul 13, 2016, 8:40:04 AM7/13/16
to
I got it, so it must have been the problem ..
Strange that changed it more than one month at least.
Having these values now, how do you think I do?
Leave it or change at least the idmap config * values: range?
I understand the parameters:
idmap config *: range = Range of the Ids are User system
idmap config SERVERAD: range: DC User Range
Thank you
Strange that changed it more than one month at least.
Having these values now, how do you think I do?
Leave it or change at least the idmap config * values: range?
I understand the parameters:
idmap config *: range = Range of the Ids are User system
idmap config SERVERAD: range: DC User Range
Thank you
Rowland penny
Jul 13, 2016, 9:40:03 AM7/13/16
to
that something belongs to a number or to a user that it shouldn't, then
you have problems.
If you look on the Samba wiki page for setting up a domain member, you
will find this for using the 'rid' backend:
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
The ranges were chosen for a reason, the '*' range '2000-9999' is large
enough for any windows SID-RIDS that need mapping and leaves room below
the range for any local Unix users that may be required. The domain
range starts at '10000', this is also the standard start number if you
use ADUC & the Unix Attributes tab. If needed, the range can be extended
by raising '99999' to whatever is required, this can be done whenever
required, just don't change '10000'
If practicable, you could use the above ranges, but if it takes less
work to keep the ranges you are using now, then stay with them, what I
am trying to say is, go with whatever is easiest, just make sure that
ranges do not overlap.
Carlos A. P. Cunha
Jul 13, 2016, 10:00:03 AM7/13/16
to
Thank you for the explanation.
Yes, it was a mistake to leave my two faxias that way, by the ID
exchange reason the low range will leave as it was to have no problems
idmap config *: range = 2000-4500
Not to be superimposed.
But it will it not cause problem ids trading again? Since it was before
both inciado in 50000
The procimo server will not make this mistake.
Final doubt, I promise heheh :-D
Thanks
Yes, it was a mistake to leave my two faxias that way, by the ID
exchange reason the low range will leave as it was to have no problems
idmap config SERVERAD: range = 5000-33554431
The range of up'm thinking of changing to something
idmap config *: range = 2000-4500
Not to be superimposed.
But it will it not cause problem ids trading again? Since it was before
both inciado in 50000
The procimo server will not make this mistake.
Final doubt, I promise heheh :-D
Thanks
Rowland penny
Jul 14, 2016, 8:40:04 AM7/14/16
to
On 14/07/16 13:32, Carlos A. P. Cunha wrote:
>
> Hello!
> Any opinion on that?
> Thank you
Sorry, didn't realise you were asking a question :-[
As long as the ranges do not overlap and you can work around any
possible problems (note: I am not saying you will have problems, but
possibly may have problems), then, the range you suggest will work.
>
> Hello!
> Any opinion on that?
> Thank you
As long as the ranges do not overlap and you can work around any
possible problems (note: I am not saying you will have problems, but
possibly may have problems), then, the range you suggest will work.
Carlos A. P. Cunha
Jul 14, 2016, 8:40:04 AM7/14/16
to
Hello!
Any opinion on that?
Thank you
Any opinion on that?
Thank you
Carlos A. P. Cunha
Jul 14, 2016, 9:30:03 AM7/14/16
to
Hello!! Hehehe
Then, as already changed the values and problem had my idei and leave
everything as it was, the two
idmap config *: range = 5000-16777216
idmap config SERVERAD: range = 5000-33554431
It is running more than one year and occurred only problems that I
changed, I know the right and leave the range as you passed, but I can
not have the ID change issues again (caused much headache).
So I was in doubt even if the only change
Since this is not the range of DC User.
Thank you again.
Then, as already changed the values and problem had my idei and leave
everything as it was, the two
idmap config *: range = 5000-16777216
It is running more than one year and occurred only problems that I
changed, I know the right and leave the range as you passed, but I can
not have the ID change issues again (caused much headache).
So I was in doubt even if the only change
idmap config *: range =
to a lower value as 2000-4500, which impacts can I have?
Since this is not the range of DC User.
Thank you again.
Carlos A. P. Cunha
Jul 15, 2016, 9:00:04 AM7/15/16
to
Hello!
I changed to
idmap config *: range = 2000-4500
The BUILTIN:
uid=5500(administrator) gid=5513(domain users) groups=5513(domain
users),5500(administrator),5520(group policy creator
owners),5519(enterprise admins),9130(servad-1 $ acronis remote
users),6530(kladmins),5518(schema admins),5512(domain
admins),*2001(BUILTIN\users),2000(BUILTIN\administrators)*
I think this will get better then, so do not have overlapping values
I changed to
idmap config *: range = 2000-4500
uid=5500(administrator) gid=5513(domain users) groups=5513(domain
users),5500(administrator),5520(group policy creator
owners),5519(enterprise admins),9130(servad-1 $ acronis remote
users),6530(kladmins),5518(schema admins),5512(domain
admins),*2001(BUILTIN\users),2000(BUILTIN\administrators)*
I think this will get better then, so do not have overlapping values
0 new messages