samba - Jul 2016 - Failed to find domain Unix Group

On 12/07/16 21:46, Carlos A. P. Cunha wrote:
>
> Note: This working because I had to change all the permissions and the 
> files were left with various "waste" of old permissions.
>
>
> Thanks
>
>
> Em 12-07-2016 17:44, Carlos A. P. Cunha escreveu:
>>
>> Hello!
>> Sorry for the confusion this where SERVER is SERVERAD(right)
>> At the time this all to work, but still followed the message! Errors 
>> in logs.
>> And I'm afraid to change again.
>>
>> : - |
>>
>>
>> Em 12-07-2016 17:40, Rowland penny escreveu:
>>> OK, you posted your smb.conf from your fileserver, it contained 
>>> these lines:
>>>
>>> workgroup = SERVER
>>>
>>> and
>>>
>>> idmap config SERVERAD: backend = rid
>>> # I changed values ​​for test
>>> idmap config SERVERAD: range = 1000000000 to 9999999999
>>>
>>> I understand you changed the workgroup to post your smb.conf, but 
>>> are the actual names for 'SERVER' and 'SERVERAD'
the same in your
>>> smb.conf, because they should be.
>>>
>>> This doesn't explain why you are getting private groups, could
you
>>> check your AD to see if the groups exist.
>>
>
I don't understand how your users/groups changed their IDs, on the DC 
RIDs are mapped and stored in idmap.ldb, you are also using the winbind 
'rid' backend and again, the user/group IDs are mapped from the RID by 
the algorithm:

  ID = RID - BASE_RID + LOW_RANGE_ID

The BASE_RID is '0' so this becomes:

ID = RID + LOW_RANGE_ID

So unless you changed the range in smb.conf, your user/group IDs 
shouldn't change.

I still don't understand where your private groups are coming from, 
unless, are you running sssd or nlscd as well as winbindd ??

Rowland

I am using internal Samba winbind

Changes in the values of IDS Rid, may have caused this?

Thanks


Em 12-07-2016 17:58, Rowland penny escreveu:
> On 12/07/16 21:46, Carlos A. P. Cunha wrote:
>>
>> Note: This working because I had to change all the permissions and 
>> the files were left with various "waste" of old permissions.
>>
>>
>> Thanks
>>
>>
>> Em 12-07-2016 17:44, Carlos A. P. Cunha escreveu:
>>>
>>> Hello!
>>> Sorry for the confusion this where SERVER is SERVERAD(right)
>>> At the time this all to work, but still followed the message!
Errors
>>> in logs.
>>> And I'm afraid to change again.
>>>
>>> : - |
>>>
>>>
>>> Em 12-07-2016 17:40, Rowland penny escreveu:
>>>> OK, you posted your smb.conf from your fileserver, it contained
>>>> these lines:
>>>>
>>>> workgroup = SERVER
>>>>
>>>> and
>>>>
>>>> idmap config SERVERAD: backend = rid
>>>> # I changed values ​​for test
>>>> idmap config SERVERAD: range = 1000000000 to 9999999999
>>>>
>>>> I understand you changed the workgroup to post your smb.conf,
but
>>>> are the actual names for 'SERVER' and
'SERVERAD' the same in your
>>>> smb.conf, because they should be.
>>>>
>>>> This doesn't explain why you are getting private groups,
could you
>>>> check your AD to see if the groups exist.
>>>
>>
>
> I don't understand how your users/groups changed their IDs, on the DC 
> RIDs are mapped and stored in idmap.ldb, you are also using the 
> winbind 'rid' backend and again, the user/group IDs are mapped from
> the RID by the algorithm:
>
>  ID = RID - BASE_RID + LOW_RANGE_ID
>
> The BASE_RID is '0' so this becomes:
>
> ID = RID + LOW_RANGE_ID
>
> So unless you changed the range in smb.conf, your user/group IDs 
> shouldn't change.
>
> I still don't understand where your private groups are coming from, 
> unless, are you running sssd or nlscd as well as winbindd ??
>
> Rowland
>

I had the same (or similar) issue on my DCs with the gid being 100 and the
uids being in the 3000000 range.   I'm not sure if you've already set
these
in your smb.conf, but the relevant section in mine is:

idmap_ldb:use rfc2307 = yes
template shell = /bin/bash   #only needed so AD users can log into the DC
locally
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes

I also have to use the command 'net cache flush' on a semi-regular basis
(I
run it via a cron job), or it seems that the DCs will eventually revert
back to the incorrect mappings.  I'm guessing that what happens is that
winbind checks for the rfc2307 value and for some reason it doesn't get a
response and then it adds an entry into the idmap.ldb file.  Winbind then
seems to prefer the idmap.ldb entry over the rfc2307 values.  I'm not sure
about all the details, but it works for me.

Mike E.


On Tue, Jul 12, 2016 at 4:58 PM, Rowland penny <rpenny at samba.org>
wrote:
> On 12/07/16 21:46, Carlos A. P. Cunha wrote:
>
>>
>> Note: This working because I had to change all the permissions and the
>> files were left with various "waste" of old permissions.
>>
>>
>> Thanks
>>
>>
>> Em 12-07-2016 17:44, Carlos A. P. Cunha escreveu:
>>
>>>
>>> Hello!
>>> Sorry for the confusion this where SERVER is SERVERAD(right)
>>> At the time this all to work, but still followed the message!
Errors in
>>> logs.
>>> And I'm afraid to change again.
>>>
>>> : - |
>>>
>>>
>>> Em 12-07-2016 17:40, Rowland penny escreveu:
>>>
>>>> OK, you posted your smb.conf from your fileserver, it contained
these
>>>> lines:
>>>>
>>>> workgroup = SERVER
>>>>
>>>> and
>>>>
>>>> idmap config SERVERAD: backend = rid
>>>> # I changed values ​​for test
>>>> idmap config SERVERAD: range = 1000000000 to 9999999999
>>>>
>>>> I understand you changed the workgroup to post your smb.conf,
but are
>>>> the actual names for 'SERVER' and 'SERVERAD'
the same in your smb.conf,
>>>> because they should be.
>>>>
>>>> This doesn't explain why you are getting private groups,
could you
>>>> check your AD to see if the groups exist.
>>>>
>>>
>>>
>>
> I don't understand how your users/groups changed their IDs, on the DC
RIDs
> are mapped and stored in idmap.ldb, you are also using the winbind
'rid'
> backend and again, the user/group IDs are mapped from the RID by the
> algorithm:
>
>  ID = RID - BASE_RID + LOW_RANGE_ID
>
> The BASE_RID is '0' so this becomes:
>
> ID = RID + LOW_RANGE_ID
>
> So unless you changed the range in smb.conf, your user/group IDs
shouldn't
> change.
>
> I still don't understand where your private groups are coming from,
> unless, are you running sssd or nlscd as well as winbindd ??
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Can return old id, returning the old values (changed the most at least 
two months)

idmap config *: backend = tdb
idmap config *:range = 5000-16777216
idmap config SERVERAD: backend = rid
idmap config SERVERAD: range = 5000-33554431

The error parrou also, but I think the fact that a group with the same 
ID / GID if the User to the fact that the idmap values be crossing, even 
so I changed them (mentioned above)

Thank you


Em 12-07-2016 18:26, Data Control Systems - Mike Elkevizth
escreveu:
> I had the same (or similar) issue on my DCs with the gid being 100 and 
> the uids being in the 3000000 range.   I'm not sure if you've
already
> set these in your smb.conf, but the relevant section in mine is:
>
> idmap_ldb:use rfc2307 = yes
> template shell = /bin/bash   #only needed so AD users can log into the 
> DC locally
> winbind use default domain = yes
> winbind enum users  = yes
> winbind enum groups = yes
>
> I also have to use the command 'net cache flush' on a semi-regular 
> basis (I run it via a cron job), or it seems that the DCs will 
> eventually revert back to the incorrect mappings.  I'm guessing that 
> what happens is that winbind checks for the rfc2307 value and for some 
> reason it doesn't get a response and then it adds an entry into the 
> idmap.ldb file.  Winbind then seems to prefer the idmap.ldb entry over 
> the rfc2307 values.  I'm not sure about all the details, but it works 
> for me.
>
> Mike E.
>
>
> On Tue, Jul 12, 2016 at 4:58 PM, Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>> wrote:
>
>     On 12/07/16 21:46, Carlos A. P. Cunha wrote:
>
>
>         Note: This working because I had to change all the permissions
>         and the files were left with various "waste" of old
permissions.
>
>
>         Thanks
>
>
>         Em 12-07-2016 17:44, Carlos A. P. Cunha escreveu:
>
>
>             Hello!
>             Sorry for the confusion this where SERVER is SERVERAD(right)
>             At the time this all to work, but still followed the
>             message! Errors in logs.
>             And I'm afraid to change again.
>
>             : - |
>
>
>             Em 12-07-2016 17:40, Rowland penny escreveu:
>
>                 OK, you posted your smb.conf from your fileserver, it
>                 contained these lines:
>
>                 workgroup = SERVER
>
>                 and
>
>                 idmap config SERVERAD: backend = rid
>                 # I changed values ​​for test
>                 idmap config SERVERAD: range = 1000000000 to 9999999999
>
>                 I understand you changed the workgroup to post your
>                 smb.conf, but are the actual names for 'SERVER' and
>                 'SERVERAD' the same in your smb.conf, because they
>                 should be.
>
>                 This doesn't explain why you are getting private
>                 groups, could you check your AD to see if the groups
>                 exist.
>
>
>
>
>     I don't understand how your users/groups changed their IDs, on the
>     DC RIDs are mapped and stored in idmap.ldb, you are also using the
>     winbind 'rid' backend and again, the user/group IDs are mapped
>     from the RID by the algorithm:
>
>      ID = RID - BASE_RID + LOW_RANGE_ID
>
>     The BASE_RID is '0' so this becomes:
>
>     ID = RID + LOW_RANGE_ID
>
>     So unless you changed the range in smb.conf, your user/group IDs
>     shouldn't change.
>
>     I still don't understand where your private groups are coming
>     from, unless, are you running sssd or nlscd as well as winbindd ??
>
>     Rowland
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>