Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] winbind: How to map Administrator to "root" on AD member server
622 views
Skip to first unread message
Fred F
Feb 14, 2014, 6:53:23 PM2/14/14
to
Hi,
I am running a pure Samba 4.1+ AD environment (on the server side). There
is one AD DC running Samba 4.1 and two member servers (running Samba 4.1 as
well).
I have provisioned the domain with support for the rfc2307 AD schema. On
the DC the UIDs are assigned automatically to AD users by Samba, which is
great. I am also storing the assigned UIDs in the Active Directory as
uidNumber (gidNumber for groups).
On the member servers I am using the AD idmap backend with rfc2307 support:
> idmap config *:backend = tdb
> idmap config *:range = 3500000 - 3600000
> idmap config MYDOMAIN:backend = ad
> idmap config MYDOMAIN:schema_mode = rfc2307
> idmap config MYDOMAIN:range = 0 - 3500000
> winbind nss info = rfc2307
This is working great for normal users and groups, but I am struggling with
some special accounts, such as "Administrator". On the DC Samba
automatically assigned the uid/gid "0" to the account, which is fine for
me. Now I also need this mapping on the member servers, as storage may be
shared across the servers, so the UIDs need to stay the same.
So I assigned the uidNumber "0" to the "Administrator" account in the AD,
but unfortunately the member server cannot resolve the account's SID to a
uid (on the AD DC this is working!). What am I doing wrong?
Thanks in advance,
Frederik
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I am running a pure Samba 4.1+ AD environment (on the server side). There
is one AD DC running Samba 4.1 and two member servers (running Samba 4.1 as
well).
I have provisioned the domain with support for the rfc2307 AD schema. On
the DC the UIDs are assigned automatically to AD users by Samba, which is
great. I am also storing the assigned UIDs in the Active Directory as
uidNumber (gidNumber for groups).
On the member servers I am using the AD idmap backend with rfc2307 support:
> idmap config *:backend = tdb
> idmap config *:range = 3500000 - 3600000
> idmap config MYDOMAIN:backend = ad
> idmap config MYDOMAIN:schema_mode = rfc2307
> idmap config MYDOMAIN:range = 0 - 3500000
> winbind nss info = rfc2307
This is working great for normal users and groups, but I am struggling with
some special accounts, such as "Administrator". On the DC Samba
automatically assigned the uid/gid "0" to the account, which is fine for
me. Now I also need this mapping on the member servers, as storage may be
shared across the servers, so the UIDs need to stay the same.
So I assigned the uidNumber "0" to the "Administrator" account in the AD,
but unfortunately the member server cannot resolve the account's SID to a
uid (on the AD DC this is working!). What am I doing wrong?
Thanks in advance,
Frederik
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
Feb 15, 2014, 3:41:23 AM2/15/14
to
On Sat, 2014-02-15 at 00:53 +0100, Fred F wrote:
> Hi,
>
> I am running a pure Samba 4.1+ AD environment (on the server side). There
> is one AD DC running Samba 4.1 and two member servers (running Samba 4.1 as
> well).
>
> I have provisioned the domain with support for the rfc2307 AD schema. On
> the DC the UIDs are assigned automatically to AD users by Samba, which is
> great. I am also storing the assigned UIDs in the Active Directory as
> uidNumber (gidNumber for groups).
>
> On the member servers I am using the AD idmap backend with rfc2307 support:
>
> > idmap config *:backend = tdb
> > idmap config *:range = 3500000 - 3600000
> > idmap config MYDOMAIN:backend = ad
> > idmap config MYDOMAIN:schema_mode = rfc2307
> > idmap config MYDOMAIN:range = 0 - 3500000
> > winbind nss info = rfc2307
The ranges overlap.
> Hi,
>
> I am running a pure Samba 4.1+ AD environment (on the server side). There
> is one AD DC running Samba 4.1 and two member servers (running Samba 4.1 as
> well).
>
> I have provisioned the domain with support for the rfc2307 AD schema. On
> the DC the UIDs are assigned automatically to AD users by Samba, which is
> great. I am also storing the assigned UIDs in the Active Directory as
> uidNumber (gidNumber for groups).
>
> On the member servers I am using the AD idmap backend with rfc2307 support:
>
> > idmap config *:backend = tdb
> > idmap config *:range = 3500000 - 3600000
> > idmap config MYDOMAIN:backend = ad
> > idmap config MYDOMAIN:schema_mode = rfc2307
> > idmap config MYDOMAIN:range = 0 - 3500000
> > winbind nss info = rfc2307
Try 0-3499999 for MYDOMAIN
Steve
Fred F
Feb 15, 2014, 4:58:56 AM2/15/14
to
2014-02-15 9:41 GMT+01:00 steve <st...@steve-ss.com>:
> The ranges overlap.
> Try 0-3499999 for MYDOMAIN
> Steve
Oh thanks, I did not notice that. I fixed it, put the problem still
> The ranges overlap.
> Try 0-3499999 for MYDOMAIN
> Steve
remains the same:
On the DC (Samba 4.1.4):
gandalf ~ # wbinfo -n "Administrator"
S-1-5-21-1200390382-381037820-236082462-500 SID_USER (1)
gandalf ~ # wbinfo -S S-1-5-21-1200390382-381037820-236082462-500
0
On the domain member (Samba 4.1.4):
sam ~ # wbinfo -n "Administrator"
S-1-5-21-1200390382-381037820-236082462-500 SID_USER (1)
sam ~ # wbinfo -S S-1-5-21-1200390382-381037820-236082462-500
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-1200390382-381037820-236082462-500 to uid
The call of "wbinfo -S USER_SID" works for other users, but not for
the Administrator account. An ldapsearch for the Administrator account
shows that everything should be set up correctly in the AD. Some of
the account's LDAP attrs are:
uidNumber: 0
loginShell: /bin/bash
msSFU30Name: Administrator
unixUserPassword: ABCD!efgh12345$67890
uid: Administrator
unixHomeDirectory: /root
gidNumber: 0
What is going on here? Why is winbind ignoring the uidNumber "0"? As I
mentioned before the uidNumber entries of other users are working as
expected.
- Fred
steve
Feb 15, 2014, 8:42:50 AM2/15/14
to
On Sat, 2014-02-15 at 00:53 +0100, Fred F wrote:
>
>
> This is working great for normal users and groups, but I am struggling with
> some special accounts, such as "Administrator".
Hi
> some special accounts, such as "Administrator".
It doesn't work as you have it. Just map Administrator to root (or
whoever you want, probably not a good idea to use root) in smb.conf:
http://linuxcostablanca.blogspot.com.es/2013/05/samba-3615-file-server-for-samba-406-ad.html
HTH
Steve
Björn JACKE
Feb 15, 2014, 5:42:04 PM2/15/14
to
On 2014-02-15 at 00:53 +0100 Fred F sent off:
unused one. Otherwise you might run into other problems, too. See also
https://bugzilla.samba.org/show_bug.cgi?id=9837
Björn
> This is working great for normal users and groups, but I am struggling with
> some special accounts, such as "Administrator". On the DC Samba
> automatically assigned the uid/gid "0" to the account, which is fine for
> me. Now I also need this mapping on the member servers, as storage may be
> shared across the servers, so the UIDs need to stay the same.
> So I assigned the uidNumber "0" to the "Administrator" account in the AD,
> but unfortunately the member server cannot resolve the account's SID to a
> uid (on the AD DC this is working!). What am I doing wrong?
I would recommend to change the uidNumber of Administrator to a different
> automatically assigned the uid/gid "0" to the account, which is fine for
> me. Now I also need this mapping on the member servers, as storage may be
> shared across the servers, so the UIDs need to stay the same.
> So I assigned the uidNumber "0" to the "Administrator" account in the AD,
> but unfortunately the member server cannot resolve the account's SID to a
> uid (on the AD DC this is working!). What am I doing wrong?
unused one. Otherwise you might run into other problems, too. See also
https://bugzilla.samba.org/show_bug.cgi?id=9837
Björn
Rowland Penny
Feb 15, 2014, 6:38:16 PM2/15/14
to
1) Samba maps the Administrator to 0
dn: CN=SID-500
name: Administrator
cn: SID-500
objectClass: sidMap
objectSid: SID-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=SID-500
2) where are you going to get the uidNumber from??? Samba 4 does not
store any uidNumber's until one is created i.e. there is no uidNumber to
give to the Administrator.
Rowland
Fred F
Feb 16, 2014, 8:32:41 AM2/16/14
to
Hi,
2014-02-15 23:42 GMT+01:00 Björn JACKE <b...@sernet.de>:
> I would recommend to change the uidNumber of Administrator to a different
> unused one. Otherwise you might run into other problems, too. See also
> https://bugzilla.samba.org/show_bug.cgi?id=9837
ok, I understand that this could be bad. I'd also appreciate if the
default behavior could be changed by the Samba folks. But shouldn't I
still be able to resolve the Administrator account to uid 0 using
winbind in my setup? Or does winbind prevent mapping anything to
uid/gid 0 nowadays?
2014-02-16 0:38 GMT+01:00 Rowland Penny <rowlan...@googlemail.com>:
> Hmm, I can see two problems here:
>
> 1) Samba maps the Administrator to 0
>
> dn: CN=SID-500
> name: Administrator
> cn: SID-500
> objectClass: sidMap
> objectSid: SID-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=SID-500
Exactly.
> 2) where are you going to get the uidNumber from??? Samba 4 does not store
> any uidNumber's until one is created i.e. there is no uidNumber to give to
> the Administrator.
Well, the uidNumber comes from the AD attribute "uidNumer", which I
assigned manually to the user (can be easily done in the "UNIX"-tab of
the AD object on Windows or through LDAP). I've set up a sync script
which checks Samba's internal mapping between SIDs and uids/gids *on
the DC* and syncs them to the AD. This works for all users & groups,
except for Administrator (and the "Domain Admins" group), although I
think I've set everything up correctly.
So for me the actual question now is: is this a bug or a "feature"? :)
- Fred
2014-02-15 23:42 GMT+01:00 Björn JACKE <b...@sernet.de>:
> I would recommend to change the uidNumber of Administrator to a different
> unused one. Otherwise you might run into other problems, too. See also
> https://bugzilla.samba.org/show_bug.cgi?id=9837
default behavior could be changed by the Samba folks. But shouldn't I
still be able to resolve the Administrator account to uid 0 using
winbind in my setup? Or does winbind prevent mapping anything to
uid/gid 0 nowadays?
2014-02-16 0:38 GMT+01:00 Rowland Penny <rowlan...@googlemail.com>:
> Hmm, I can see two problems here:
>
> 1) Samba maps the Administrator to 0
>
> dn: CN=SID-500
> name: Administrator
> cn: SID-500
> objectClass: sidMap
> objectSid: SID-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=SID-500
> 2) where are you going to get the uidNumber from??? Samba 4 does not store
> any uidNumber's until one is created i.e. there is no uidNumber to give to
> the Administrator.
assigned manually to the user (can be easily done in the "UNIX"-tab of
the AD object on Windows or through LDAP). I've set up a sync script
which checks Samba's internal mapping between SIDs and uids/gids *on
the DC* and syncs them to the AD. This works for all users & groups,
except for Administrator (and the "Domain Admins" group), although I
think I've set everything up correctly.
So for me the actual question now is: is this a bug or a "feature"? :)
- Fred
Rowland Penny
Feb 16, 2014, 8:58:59 AM2/16/14
to
up what I was saying, a stock samba4 domain has nowhere to store any
uidNumber's & gidNumber's (except in the user or group DN) until you
create one through ADUC, AD then creates the attributes that I think
should be there from the start, so I think it is a bug!
Only problem is, if the ' msSFU30MaxUidNumber' & 'msSFU30MaxGidNumber'
were to be created and populated at provision, then samba-tool will have
to be re-written to take advantage of these attributes.
If the above were to happen, this then opens another question, just
where do you start these numbers? 10000 as windows does or somewhere else?
As for the Administrator account, I think that this may just be a
windows 'feature', if you look at the Administrator account in ADUC, you
will find that it is a built-in account and if you then open the
Properties for this user and go to the 'Account' tab, you will find that
the account has no 'User logon Name'.
Rowland
steve
Feb 16, 2014, 9:13:56 AM2/16/14
to
Hi
The only way we know to do this is to map Administrator to root or
someone else. winbind won't do it, as the OP has found out. The solution
has been already been posted in this thread:
https://lists.samba.org/archive/samba/2014-February/178913.html
Our vote for where does the uid start, we'd vote to do it as windows
does it. Always do as windows does, even though we may not like it. This
extends to storing uidNumber and gidNumber. As windows does: in AD.
Cheers,
Steve
Björn JACKE
Feb 16, 2014, 4:24:35 PM2/16/14
to
On 2014-02-15 at 23:38 +0000 Rowland Penny sent off:
> dn: CN=SID-500
> name: Administrator
> cn: SID-500
> objectClass: sidMap
> objectSid: SID-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=SID-500
>
number/ :-). yes, xidNumber: 0 maps to the UID number 0, which causes the
trouble described in the bug.
Björn
> 1) Samba maps the Administrator to 0
this is what I meant when saying uidNUmber is 0.
> dn: CN=SID-500
> name: Administrator
> cn: SID-500
> objectClass: sidMap
> objectSid: SID-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=SID-500
>
> 2) where are you going to get the uidNumber from??? Samba 4 does not
> store any uidNumber's until one is created i.e. there is no
> uidNumber to give to the Administrator.
sorry for the confusing use of the term uidNumber, read it like s/uidNUmber/UID
> store any uidNumber's until one is created i.e. there is no
> uidNumber to give to the Administrator.
number/ :-). yes, xidNumber: 0 maps to the UID number 0, which causes the
trouble described in the bug.
Björn
Rowland Penny
Feb 16, 2014, 4:57:41 PM2/16/14
to
On 16/02/14 21:24, Björn JACKE wrote:
> On 2014-02-15 at 23:38 +0000 Rowland Penny sent off:
>> 1) Samba maps the Administrator to 0
> this is what I meant when saying uidNUmber is 0.
>
>
>> dn: CN=SID-500
>> name: Administrator
>> cn: SID-500
>> objectClass: sidMap
>> objectSid: SID-500
>> type: ID_TYPE_UID
>> xidNumber: 0
>> distinguishedName: CN=SID-500
>>
>> 2) where are you going to get the uidNumber from??? Samba 4 does not
>> store any uidNumber's until one is created i.e. there is no
>> uidNumber to give to the Administrator.
> sorry for the confusing use of the term uidNumber, read it like s/uidNUmber/UID
> number/ :-). yes, xidNumber: 0 maps to the UID number 0, which causes the
> trouble described in the bug.
>
> Björn
You are right about administrator not being able to login because of the
> On 2014-02-15 at 23:38 +0000 Rowland Penny sent off:
>> 1) Samba maps the Administrator to 0
> this is what I meant when saying uidNUmber is 0.
>
>
>> dn: CN=SID-500
>> name: Administrator
>> cn: SID-500
>> objectClass: sidMap
>> objectSid: SID-500
>> type: ID_TYPE_UID
>> xidNumber: 0
>> distinguishedName: CN=SID-500
>>
>> 2) where are you going to get the uidNumber from??? Samba 4 does not
>> store any uidNumber's until one is created i.e. there is no
>> uidNumber to give to the Administrator.
> sorry for the confusing use of the term uidNumber, read it like s/uidNUmber/UID
> number/ :-). yes, xidNumber: 0 maps to the UID number 0, which causes the
> trouble described in the bug.
>
> Björn
home directory, but Administrator isn't supposed to login to a linux
machine, so that isn't really a problem. I personally have never had a
problem logging onto a linux domain machine as root, are you sure that
your problem isn't just a problem with your setup, after all, nobody
else has ever complained about this particular problem.
Rowland
Björn JACKE
Feb 16, 2014, 5:32:56 PM2/16/14
to
On 2014-02-16 at 21:57 +0000 Rowland Penny sent off:
is no longer considered to be /root by sshs. user names and uid numbers should
always be unique. A lot of things will break otherwise.
> You are right about administrator not being able to login because of
> the home directory, but Administrator isn't supposed to login to a
> linux machine, so that isn't really a problem. I personally have
> never had a problem logging onto a linux domain machine as root, are
> you sure that your problem isn't just a problem with your setup,
> after all, nobody else has ever complained about this particular
> problem.
read in the bug report: the problem is in that case that root's home directory
> the home directory, but Administrator isn't supposed to login to a
> linux machine, so that isn't really a problem. I personally have
> never had a problem logging onto a linux domain machine as root, are
> you sure that your problem isn't just a problem with your setup,
> after all, nobody else has ever complained about this particular
> problem.
is no longer considered to be /root by sshs. user names and uid numbers should
always be unique. A lot of things will break otherwise.
Rowland Penny
Feb 17, 2014, 5:42:49 AM2/17/14
to
On 16/02/14 22:32, Björn JACKE wrote:
> On 2014-02-16 at 21:57 +0000 Rowland Penny sent off:
>> You are right about administrator not being able to login because of
>> the home directory, but Administrator isn't supposed to login to a
>> linux machine, so that isn't really a problem. I personally have
>> never had a problem logging onto a linux domain machine as root, are
>> you sure that your problem isn't just a problem with your setup,
>> after all, nobody else has ever complained about this particular
>> problem.
> read in the bug report: the problem is in that case that root's home directory
> is no longer considered to be /root by sshs. user names and uid numbers should
> always be unique. A lot of things will break otherwise.
I did read the bug report and if you take notice, I did agree with you
> On 2014-02-16 at 21:57 +0000 Rowland Penny sent off:
>> You are right about administrator not being able to login because of
>> the home directory, but Administrator isn't supposed to login to a
>> linux machine, so that isn't really a problem. I personally have
>> never had a problem logging onto a linux domain machine as root, are
>> you sure that your problem isn't just a problem with your setup,
>> after all, nobody else has ever complained about this particular
>> problem.
> read in the bug report: the problem is in that case that root's home directory
> is no longer considered to be /root by sshs. user names and uid numbers should
> always be unique. A lot of things will break otherwise.
about the Administrator login and its home directory, but I cannot get
the problem that you report. For me, no matter where I start from, ssh
login of root works, it also gets the correct home directory of /root.
This is why I asked if the problem is just with your setup, for
instance, you could try turning off nscd, in my opinion this is probably
where your problem lies, not in samba.
Rowland
Björn JACKE
Feb 17, 2014, 6:24:49 AM2/17/14
to
On 2014-02-17 at 10:42 +0000 Rowland Penny sent off:
setups, it can change the behaviour of nsswitch though for setups with double
assigned user names and uid numbers are always problem. Even if in your setup
you see no problems, everybody should take care not to have double assigned
uids around.
Björn
> This is why I asked if the problem is just with your setup, for
> instance, you could try turning off nscd, in my opinion this is
> probably where your problem lies, not in samba.
nscd is not a "problem", nscd is usually recommended to use, also with winbind
> instance, you could try turning off nscd, in my opinion this is
> probably where your problem lies, not in samba.
setups, it can change the behaviour of nsswitch though for setups with double
assigned user names and uid numbers are always problem. Even if in your setup
you see no problems, everybody should take care not to have double assigned
uids around.
Björn
Rowland Penny
Feb 17, 2014, 8:04:00 AM2/17/14
to
On 17/02/14 11:24, Björn JACKE wrote:
> On 2014-02-17 at 10:42 +0000 Rowland Penny sent off:
>> This is why I asked if the problem is just with your setup, for
>> instance, you could try turning off nscd, in my opinion this is
>> probably where your problem lies, not in samba.
> nscd is not a "problem", nscd is usually recommended to use, also with winbind
> setups, it can change the behaviour of nsswitch though for setups with double
> assigned user names and uid numbers are always problem. Even if in your setup
> you see no problems, everybody should take care not to have double assigned
> uids around.
>
> Björn
Are you sure about that? if you are, then this needs changing:
> On 2014-02-17 at 10:42 +0000 Rowland Penny sent off:
>> This is why I asked if the problem is just with your setup, for
>> instance, you could try turning off nscd, in my opinion this is
>> probably where your problem lies, not in samba.
> nscd is not a "problem", nscd is usually recommended to use, also with winbind
> setups, it can change the behaviour of nsswitch though for setups with double
> assigned user names and uid numbers are always problem. Even if in your setup
> you see no problems, everybody should take care not to have double assigned
> uids around.
>
> Björn
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
Near the bottom:
<quote>
NSCD Problem Warning
Warning
Do not under any circumstances run nscd on any system on which winbindd
is running.
</quote>
You seem to be the only person complaining about this problem, you first
reported this 'bug' approx 10 months ago and nobody has done anything
about it, or complained about it since.
Why don't you try try turning off nscd like everybody else, or at least
the user & group parts.
Rowland
Björn JACKE
Feb 17, 2014, 8:36:32 AM2/17/14
to
On 2014-02-17 at 13:04 +0000 Rowland Penny sent off:
> if you are, then this needs changing:
>
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
as written a number of times before: the information in the HOWTO-Collection is
not maintained at all. Don't read it. Or at least don't put too much trust in
it if you read it ;-). The HOWTO Collection will probably be removed for 4.2
for that reason.
Björn
> Are you sure about that?
yes
> if you are, then this needs changing:
>
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
not maintained at all. Don't read it. Or at least don't put too much trust in
it if you read it ;-). The HOWTO Collection will probably be removed for 4.2
for that reason.
Björn
Rowland Penny
Feb 17, 2014, 8:58:59 AM2/17/14
to
On 17/02/14 13:36, Björn JACKE wrote:
> On 2014-02-17 at 13:04 +0000 Rowland Penny sent off:
>> Are you sure about that?
> yes
>
>> if you are, then this needs changing:
>>
>> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
> as written a number of times before: the information in the HOWTO-Collection is
> not maintained at all. Don't read it. Or at least don't put too much trust in
> it if you read it ;-). The HOWTO Collection will probably be removed for 4.2
> for that reason.
>
> Björn
>
Just because something isn't maintained any more, does not make it all
> On 2014-02-17 at 13:04 +0000 Rowland Penny sent off:
>> Are you sure about that?
> yes
>
>> if you are, then this needs changing:
>>
>> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
> as written a number of times before: the information in the HOWTO-Collection is
> not maintained at all. Don't read it. Or at least don't put too much trust in
> it if you read it ;-). The HOWTO Collection will probably be removed for 4.2
> for that reason.
>
> Björn
>
false. If you do an internet search for winbind and nscd, you will find
a lot of examples that tell you not to use winbind and nscd, they cannot
all be false.
I do not use nscd and have never had the problem that you reported, is
there anybody else out there that has? and if so, are they using nscd as
well.
All I can suggest, is that you try it without nscd and see if you get
the problem, if you do, it is a samba problem, if you don't, it is an
nscd problem. If you will not even try my suggestion, then, that's your
problem! ;-)
Rowland
steve
Feb 17, 2014, 12:06:07 PM2/17/14
to
On Mon, 2014-02-17 at 12:24 +0100, Björn JACKE wrote:
> On 2014-02-17 at 10:42 +0000 Rowland Penny sent off:
> > This is why I asked if the problem is just with your setup, for
> > instance, you could try turning off nscd, in my opinion this is
> > probably where your problem lies, not in samba.
>
> nscd is not a "problem", nscd is usually recommended to use, also with winbind
> setups, it can change the behaviour of nsswitch though for setups with double
> assigned user names and uid numbers are always problem. Even if in your setup
> you see no problems, everybody should take care not to have double assigned
> uids around.
>
> Björn
> On 2014-02-17 at 10:42 +0000 Rowland Penny sent off:
> > This is why I asked if the problem is just with your setup, for
> > instance, you could try turning off nscd, in my opinion this is
> > probably where your problem lies, not in samba.
>
> nscd is not a "problem", nscd is usually recommended to use, also with winbind
> setups, it can change the behaviour of nsswitch though for setups with double
> assigned user names and uid numbers are always problem. Even if in your setup
> you see no problems, everybody should take care not to have double assigned
> uids around.
>
> Björn
Hi
nscd is a _huge_ problem. By all meant turn it back on. Later, when you
have solved the uid problem. NEVER debug with nscd active.
HTH
Steve
0 new messages