samba - Jul 2016 - Failed to find domain Unix Group

Can return old id, returning the old values (changed the most at least 
two months)

idmap config *: backend = tdb
idmap config *:range = 5000-16777216
idmap config SERVERAD: backend = rid
idmap config SERVERAD: range = 5000-33554431

The error parrou also, but I think the fact that a group with the same 
ID / GID if the User to the fact that the idmap values be crossing, even 
so I changed them (mentioned above)

Thank you


Em 12-07-2016 18:26, Data Control Systems - Mike Elkevizth
escreveu:
> I had the same (or similar) issue on my DCs with the gid being 100 and 
> the uids being in the 3000000 range.   I'm not sure if you've
already
> set these in your smb.conf, but the relevant section in mine is:
>
> idmap_ldb:use rfc2307 = yes
> template shell = /bin/bash   #only needed so AD users can log into the 
> DC locally
> winbind use default domain = yes
> winbind enum users  = yes
> winbind enum groups = yes
>
> I also have to use the command 'net cache flush' on a semi-regular 
> basis (I run it via a cron job), or it seems that the DCs will 
> eventually revert back to the incorrect mappings.  I'm guessing that 
> what happens is that winbind checks for the rfc2307 value and for some 
> reason it doesn't get a response and then it adds an entry into the 
> idmap.ldb file.  Winbind then seems to prefer the idmap.ldb entry over 
> the rfc2307 values.  I'm not sure about all the details, but it works 
> for me.
>
> Mike E.
>
>
> On Tue, Jul 12, 2016 at 4:58 PM, Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>> wrote:
>
>     On 12/07/16 21:46, Carlos A. P. Cunha wrote:
>
>
>         Note: This working because I had to change all the permissions
>         and the files were left with various "waste" of old
permissions.
>
>
>         Thanks
>
>
>         Em 12-07-2016 17:44, Carlos A. P. Cunha escreveu:
>
>
>             Hello!
>             Sorry for the confusion this where SERVER is SERVERAD(right)
>             At the time this all to work, but still followed the
>             message! Errors in logs.
>             And I'm afraid to change again.
>
>             : - |
>
>
>             Em 12-07-2016 17:40, Rowland penny escreveu:
>
>                 OK, you posted your smb.conf from your fileserver, it
>                 contained these lines:
>
>                 workgroup = SERVER
>
>                 and
>
>                 idmap config SERVERAD: backend = rid
>                 # I changed values ​​for test
>                 idmap config SERVERAD: range = 1000000000 to 9999999999
>
>                 I understand you changed the workgroup to post your
>                 smb.conf, but are the actual names for 'SERVER' and
>                 'SERVERAD' the same in your smb.conf, because they
>                 should be.
>
>                 This doesn't explain why you are getting private
>                 groups, could you check your AD to see if the groups
>                 exist.
>
>
>
>
>     I don't understand how your users/groups changed their IDs, on the
>     DC RIDs are mapped and stored in idmap.ldb, you are also using the
>     winbind 'rid' backend and again, the user/group IDs are mapped
>     from the RID by the algorithm:
>
>      ID = RID - BASE_RID + LOW_RANGE_ID
>
>     The BASE_RID is '0' so this becomes:
>
>     ID = RID + LOW_RANGE_ID
>
>     So unless you changed the range in smb.conf, your user/group IDs
>     shouldn't change.
>
>     I still don't understand where your private groups are coming
>     from, unless, are you running sssd or nlscd as well as winbindd ??
>
>     Rowland
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

I forgot to mention in the previous post, I do not have any of the "idmap
config" parameters in the smb.conf on any of the DCs.  I only use those
parameters on member servers.  I would try commenting those out on your
DC(s) and restarting samba and see if that helps.

Mike E.


On Tue, Jul 12, 2016 at 10:20 PM, Carlos A. P. Cunha <
carlos.hollow at gmail.com> wrote:
> Can return old id, returning the old values (changed the most at least
> two months)
>
> idmap config *: backend = tdb
> idmap config *:range = 5000-16777216
> idmap config SERVERAD: backend = rid
> idmap config SERVERAD: range = 5000-33554431
>
> The error parrou also, but I think the fact that a group with the same ID
> / GID if the User to the fact that the idmap values be crossing, even so
> I changed them ( mentioned above)
>
> Thank you
>
> Em 12-07-2016 18:26, Data Control Systems - Mike Elkevizth escreveu:
>
> I had the same (or similar) issue on my DCs with the gid being 100 and the
> uids being in the 3000000 range.   I'm not sure if you've already
set these
> in your smb.conf, but the relevant section in mine is:
>
> idmap_ldb:use rfc2307 = yes
> template shell = /bin/bash   #only needed so AD users can log into the DC
> locally
> winbind use default domain = yes
> winbind enum users  = yes
> winbind enum groups = yes
>
> I also have to use the command 'net cache flush' on a semi-regular
basis
> (I run it via a cron job), or it seems that the DCs will eventually revert
> back to the incorrect mappings.  I'm guessing that what happens is that
> winbind checks for the rfc2307 value and for some reason it doesn't get
a
> response and then it adds an entry into the idmap.ldb file.  Winbind then
> seems to prefer the idmap.ldb entry over the rfc2307 values.  I'm not
sure
> about all the details, but it works for me.
>
> Mike E.
>
>
> On Tue, Jul 12, 2016 at 4:58 PM, Rowland penny <rpenny at samba.org>
wrote:
>
>> On 12/07/16 21:46, Carlos A. P. Cunha wrote:
>>
>>>
>>> Note: This working because I had to change all the permissions and
the
>>> files were left with various "waste" of old permissions.
>>>
>>>
>>> Thanks
>>>
>>>
>>> Em 12-07-2016 17:44, Carlos A. P. Cunha escreveu:
>>>
>>>>
>>>> Hello!
>>>> Sorry for the confusion this where SERVER is SERVERAD(right)
>>>> At the time this all to work, but still followed the message!
Errors in
>>>> logs.
>>>> And I'm afraid to change again.
>>>>
>>>> : - |
>>>>
>>>>
>>>> Em 12-07-2016 17:40, Rowland penny escreveu:
>>>>
>>>>> OK, you posted your smb.conf from your fileserver, it
contained these
>>>>> lines:
>>>>>
>>>>> workgroup = SERVER
>>>>>
>>>>> and
>>>>>
>>>>> idmap config SERVERAD: backend = rid
>>>>> # I changed values ​​for test
>>>>> idmap config SERVERAD: range = 1000000000 to 9999999999
>>>>>
>>>>> I understand you changed the workgroup to post your
smb.conf, but are
>>>>> the actual names for 'SERVER' and
'SERVERAD' the same in your smb.conf,
>>>>> because they should be.
>>>>>
>>>>> This doesn't explain why you are getting private
groups, could you
>>>>> check your AD to see if the groups exist.
>>>>>
>>>>
>>>>
>>>
>> I don't understand how your users/groups changed their IDs, on the
DC
>> RIDs are mapped and stored in idmap.ldb, you are also using the winbind
>> 'rid' backend and again, the user/group IDs are mapped from the
RID by the
>> algorithm:
>>
>>  ID = RID - BASE_RID + LOW_RANGE_ID
>>
>> The BASE_RID is '0' so this becomes:
>>
>> ID = RID + LOW_RANGE_ID
>>
>> So unless you changed the range in smb.conf, your user/group IDs
>> shouldn't change.
>>
>> I still don't understand where your private groups are coming from,
>> unless, are you running sssd or nlscd as well as winbindd ??
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>

Hello!
This is in my member in DC will not use these parameters.


Thanks


Em 12-07-2016 23:48, Data Control Systems - Mike Elkevizth
escreveu:
> I forgot to mention in the previous post, I do not have any of the 
> "idmap config" parameters in the smb.conf on any of the DCs.  I
only
> use those parameters on member servers.  I would try commenting those 
> out on your DC(s) and restarting samba and see if that helps.
>
> Mike E.
>
>
> On Tue, Jul 12, 2016 at 10:20 PM, Carlos A. P. Cunha 
> <carlos.hollow at gmail.com <mailto:carlos.hollow at
gmail.com>> wrote:
>
>     Can return old id, returning the old values (changed the most at
>     least two months)
>
>     idmap config *: backend = tdb
>     idmap config *:range = 5000-16777216
>     idmap config SERVERAD: backend = rid
>     idmap config SERVERAD: range = 5000-33554431
>
>     The error parrou also, but I think the fact that a group with the
>     same ID / GID if the User to the fact that the idmap values be
>     crossing, even so I changed them (mentioned above)
>
>     Thank you
>
>
>     Em 12-07-2016 18:26, Data Control Systems - Mike Elkevizth escreveu:
>>     I had the same (or similar) issue on my DCs with the gid being
>>     100 and the uids being in the 3000000 range.   I'm not sure if
>>     you've already set these in your smb.conf, but the relevant
>>     section in mine is:
>>
>>     idmap_ldb:use rfc2307 = yes
>>     template shell = /bin/bash   #only needed so AD users can log
>>     into the DC locally
>>     winbind use default domain = yes
>>     winbind enum users  = yes
>>     winbind enum groups = yes
>>
>>     I also have to use the command 'net cache flush' on a
>>     semi-regular basis (I run it via a cron job), or it seems that
>>     the DCs will eventually revert back to the incorrect mappings. 
>>     I'm guessing that what happens is that winbind checks for the
>>     rfc2307 value and for some reason it doesn't get a response and
>>     then it adds an entry into the idmap.ldb file.  Winbind then
>>     seems to prefer the idmap.ldb entry over the rfc2307 values. 
I'm
>>     not sure about all the details, but it works for me.
>>
>>     Mike E.
>>
>>
>>     On Tue, Jul 12, 2016 at 4:58 PM, Rowland penny <rpenny at
samba.org
>>     <mailto:rpenny at samba.org>> wrote:
>>
>>         On 12/07/16 21:46, Carlos A. P. Cunha wrote:
>>
>>
>>             Note: This working because I had to change all the
>>             permissions and the files were left with various
"waste"
>>             of old permissions.
>>
>>
>>             Thanks
>>
>>
>>             Em 12-07-2016 17:44, Carlos A. P. Cunha escreveu:
>>
>>
>>                 Hello!
>>                 Sorry for the confusion this where SERVER is
>>                 SERVERAD(right)
>>                 At the time this all to work, but still followed the
>>                 message! Errors in logs.
>>                 And I'm afraid to change again.
>>
>>                 : - |
>>
>>
>>                 Em 12-07-2016 17:40, Rowland penny escreveu:
>>
>>                     OK, you posted your smb.conf from your
>>                     fileserver, it contained these lines:
>>
>>                     workgroup = SERVER
>>
>>                     and
>>
>>                     idmap config SERVERAD: backend = rid
>>                     # I changed values ​​for test
>>                     idmap config SERVERAD: range = 1000000000 to
>>                     9999999999
>>
>>                     I understand you changed the workgroup to post
>>                     your smb.conf, but are the actual names for
>>                     'SERVER' and 'SERVERAD' the same in
your
>>                     smb.conf, because they should be.
>>
>>                     This doesn't explain why you are getting
private
>>                     groups, could you check your AD to see if the
>>                     groups exist.
>>
>>
>>
>>
>>         I don't understand how your users/groups changed their IDs,
>>         on the DC RIDs are mapped and stored in idmap.ldb, you are
>>         also using the winbind 'rid' backend and again, the
>>         user/group IDs are mapped from the RID by the algorithm:
>>
>>          ID = RID - BASE_RID + LOW_RANGE_ID
>>
>>         The BASE_RID is '0' so this becomes:
>>
>>         ID = RID + LOW_RANGE_ID
>>
>>         So unless you changed the range in smb.conf, your user/group
>>         IDs shouldn't change.
>>
>>         I still don't understand where your private groups are
coming
>>         from, unless, are you running sssd or nlscd as well as
>>         winbindd ??
>>
>>         Rowland
>>
>>
>>         -- 
>>         To unsubscribe from this list go to the following URL and
>>         read the
>>         instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>

On 13/07/16 03:20, Carlos A. P. Cunha wrote:
>
> Can return old id, returning the old values (changed the most at least 
> two months)
>
> idmap config *: backend = tdb
> idmap config *:range = 5000-16777216
> idmap config SERVERAD: backend = rid
> idmap config SERVERAD: range = 5000-33554431
>
> The error parrou also, but I think the fact that a group with the same 
> ID / GID if the User to the fact that the idmap values be crossing, 
> even so I changed them (mentioned above)
>
> Thank you
>
>
Do not change the lower range value on a Samba fileserver once set, you 
can raise the upper value, but there is a proviso, the ranges must not 
overlap. This means your lines above are invalid, they both start at 
'5000' and the entire '*' range is inside the 'SERVERAD'
range.

If you change the lower range and you are using the 'rid' backend, all 
your IDs will change.

Rowland

I got it, so it must have been the problem ..
Strange that changed it more than one month at least.
Having these values now, how do you think I do?
Leave it or change at least the idmap config * values: range?

I understand the parameters:

idmap config *: range = Range of the Ids are User system

idmap config SERVERAD: range: DC User Range

Thank you


Em 13-07-2016 05:16, Rowland penny escreveu:
> On 13/07/16 03:20, Carlos A. P. Cunha wrote:
>>
>> Can return old id, returning the old values (changed the most at 
>> least two months)
>>
>> idmap config *: backend = tdb
>> idmap config *:range = 5000-16777216
>> idmap config SERVERAD: backend = rid
>> idmap config SERVERAD: range = 5000-33554431
>>
>> The error parrou also, but I think the fact that a group with the 
>> same ID / GID if the User to the fact that the idmap values be 
>> crossing, even so I changed them (mentioned above)
>>
>> Thank you
>>
>>
>
> Do not change the lower range value on a Samba fileserver once set, 
> you can raise the upper value, but there is a proviso, the ranges must 
> not overlap. This means your lines above are invalid, they both start 
> at '5000' and the entire '*' range is inside the
'SERVERAD' range.
>
> If you change the lower range and you are using the 'rid' backend,
all
> your IDs will change.
>
> Rowland
>