samba - Jul 2016 - Failed to find domain Unix Group

On 14/07/16 13:32, Carlos A. P. Cunha wrote:
>
> Hello!
> Any opinion on that?
> Thank you
>
>
> Em 13-07-2016 10:52, Carlos A. P. Cunha escreveu:
>>
>> Thank you for the explanation.
>> Yes, it was a mistake to leave my two faxias that way, by the ID 
>> exchange reason the low range will leave as it was to have no problems
>> idmap config SERVERAD: range = 5000-33554431
>>
>> The range of up'm thinking of changing to something
>> idmap config *: range = 2000-4500
>>
>> Not to be superimposed.
>>
>> But it will it not cause problem ids trading again? Since it was 
>> before both inciado in 50000
>>
>> The procimo server will not make this mistake.
>>
>> Final doubt, I promise heheh :-D
>>
>> Thanks
>>
>>
>> Em 13-07-2016 10:32, Rowland penny escreveu:
>>> On 13/07/16 13:33, Carlos A. P. Cunha wrote:
>>>>
>>>> I got it, so it must have been the problem ..
>>>> Strange that changed it more than one month at least.
>>>> Having these values now, how do you think I do?
>>>> Leave it or change at least the idmap config * values: range?
>>>>
>>>> I understand the parameters:
>>>>
>>>> idmap config *: range = Range of the Ids are User system
>>>>
>>>> idmap config SERVERAD: range: DC User Range
>>>>
>>>> Thank you
>>>>
>>>>
>>>> Em 13-07-2016 05:16, Rowland penny escreveu:
>>>>> On 13/07/16 03:20, Carlos A. P. Cunha wrote:
>>>>>>
>>>>>> Can return old id, returning the old values (changed
the most at
>>>>>> least two months)
>>>>>>
>>>>>> idmap config *: backend = tdb
>>>>>> idmap config *:range = 5000-16777216
>>>>>> idmap config SERVERAD: backend = rid
>>>>>> idmap config SERVERAD: range = 5000-33554431
>>>>>>
>>>>>> The error parrou also, but I think the fact that a
group with the
>>>>>> same ID / GID if the User to the fact that the idmap
values be
>>>>>> crossing, even so I changed them (mentioned above)
>>>>>>
>>>>>> Thank you
>>>>>>
>>>>>>
>>>>>
>>>>> Do not change the lower range value on a Samba fileserver
once
>>>>> set, you can raise the upper value, but there is a proviso,
the
>>>>> ranges must not overlap. This means your lines above are
invalid,
>>>>> they both start at '5000' and the entire
'*' range is inside the
>>>>> 'SERVERAD' range.
>>>>>
>>>>> If you change the lower range and you are using the
'rid' backend,
>>>>> all your IDs will change.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>> OK, you need to find out just who owns what on your systems, if you
>>> find that something belongs to a number or to a user that it 
>>> shouldn't, then you have problems.
>>>
>>> If you look on the Samba wiki page for setting up a domain member, 
>>> you will find this for using the 'rid' backend:
>>>
>>>         # Default idmap config used for BUILTIN and local
accounts/groups
>>>         idmap config *:backend = tdb
>>>         idmap config *:range = 2000-9999
>>>
>>>         # idmap config for domain SAMDOM
>>>         idmap config SAMDOM:backend = rid
>>>         idmap config SAMDOM:range = 10000-99999
>>>
>>> The ranges were chosen for a reason, the '*' range
'2000-9999' is
>>> large enough for any windows SID-RIDS that need mapping and leaves 
>>> room below the range for any local Unix users that may be required.
>>> The domain range starts at '10000', this is also the
standard start
>>> number if you use ADUC & the Unix Attributes tab. If needed,
the
>>> range can be extended by raising '99999' to whatever is
required,
>>> this can be done whenever required, just don't change
'10000'
>>>
>>> If practicable, you could use the above ranges, but if it takes
less
>>> work to keep the ranges you are using now, then stay with them,
what
>>> I am trying to say is, go with whatever is easiest, just make sure 
>>> that ranges do not overlap.
>>>
>>> Rowland
>>>
>>
>
Sorry, didn't realise you were asking a question :-[

As long as the ranges do not overlap and you can work around any 
possible problems (note: I am not saying you will have problems, but 
possibly may have problems), then, the range you suggest will work.

Rowland

Hello!! Hehehe
Then, as already changed the values and problem had my idei and leave 
everything as it was, the two

idmap config *: range = 5000-16777216
idmap config SERVERAD: range = 5000-33554431


It is running more than one year and occurred only problems that I 
changed, I know the right and leave the range as you passed, but I can 
not have the ID change issues again (caused much headache).

So I was in doubt even if the only change
idmap config *: range to a lower value as 2000-4500, which impacts can I have?
Since this is not the range of DC User.

Thank you again.


Em 14-07-2016 09:36, Rowland penny escreveu:
> On 14/07/16 13:32, Carlos A. P. Cunha wrote:
>>
>> Hello!
>> Any opinion on that?
>> Thank you
>>
>>
>> Em 13-07-2016 10:52, Carlos A. P. Cunha escreveu:
>>>
>>> Thank you for the explanation.
>>> Yes, it was a mistake to leave my two faxias that way, by the ID 
>>> exchange reason the low range will leave as it was to have no
problems
>>> idmap config SERVERAD: range = 5000-33554431
>>>
>>> The range of up'm thinking of changing to something
>>> idmap config *: range = 2000-4500
>>>
>>> Not to be superimposed.
>>>
>>> But it will it not cause problem ids trading again? Since it was 
>>> before both inciado in 50000
>>>
>>> The procimo server will not make this mistake.
>>>
>>> Final doubt, I promise heheh :-D
>>>
>>> Thanks
>>>
>>>
>>> Em 13-07-2016 10:32, Rowland penny escreveu:
>>>> On 13/07/16 13:33, Carlos A. P. Cunha wrote:
>>>>>
>>>>> I got it, so it must have been the problem ..
>>>>> Strange that changed it more than one month at least.
>>>>> Having these values now, how do you think I do?
>>>>> Leave it or change at least the idmap config * values:
range?
>>>>>
>>>>> I understand the parameters:
>>>>>
>>>>> idmap config *: range = Range of the Ids are User system
>>>>>
>>>>> idmap config SERVERAD: range: DC User Range
>>>>>
>>>>> Thank you
>>>>>
>>>>>
>>>>> Em 13-07-2016 05:16, Rowland penny escreveu:
>>>>>> On 13/07/16 03:20, Carlos A. P. Cunha wrote:
>>>>>>>
>>>>>>> Can return old id, returning the old values
(changed the most at
>>>>>>> least two months)
>>>>>>>
>>>>>>> idmap config *: backend = tdb
>>>>>>> idmap config *:range = 5000-16777216
>>>>>>> idmap config SERVERAD: backend = rid
>>>>>>> idmap config SERVERAD: range = 5000-33554431
>>>>>>>
>>>>>>> The error parrou also, but I think the fact that a
group with
>>>>>>> the same ID / GID if the User to the fact that the
idmap values
>>>>>>> be crossing, even so I changed them (mentioned
above)
>>>>>>>
>>>>>>> Thank you
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Do not change the lower range value on a Samba
fileserver once
>>>>>> set, you can raise the upper value, but there is a
proviso, the
>>>>>> ranges must not overlap. This means your lines above
are invalid,
>>>>>> they both start at '5000' and the entire
'*' range is inside the
>>>>>> 'SERVERAD' range.
>>>>>>
>>>>>> If you change the lower range and you are using the
'rid'
>>>>>> backend, all your IDs will change.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>>
>>>> OK, you need to find out just who owns what on your systems, if
you
>>>> find that something belongs to a number or to a user that it 
>>>> shouldn't, then you have problems.
>>>>
>>>> If you look on the Samba wiki page for setting up a domain
member,
>>>> you will find this for using the 'rid' backend:
>>>>
>>>>         # Default idmap config used for BUILTIN and local
accounts/groups
>>>>         idmap config *:backend = tdb
>>>>         idmap config *:range = 2000-9999
>>>>
>>>>         # idmap config for domain SAMDOM
>>>>         idmap config SAMDOM:backend = rid
>>>>         idmap config SAMDOM:range = 10000-99999
>>>>
>>>> The ranges were chosen for a reason, the '*' range
'2000-9999' is
>>>> large enough for any windows SID-RIDS that need mapping and
leaves
>>>> room below the range for any local Unix users that may be
required.
>>>> The domain range starts at '10000', this is also the
standard start
>>>> number if you use ADUC & the Unix Attributes tab. If
needed, the
>>>> range can be extended by raising '99999' to whatever is
required,
>>>> this can be done whenever required, just don't change
'10000'
>>>>
>>>> If practicable, you could use the above ranges, but if it takes
>>>> less work to keep the ranges you are using now, then stay with 
>>>> them, what I am trying to say is, go with whatever is easiest,
just
>>>> make sure that ranges do not overlap.
>>>>
>>>> Rowland
>>>>
>>>
>>
>
> Sorry, didn't realise you were asking a question :-[
>
> As long as the ranges do not overlap and you can work around any 
> possible problems (note: I am not saying you will have problems, but 
> possibly may have problems), then, the range you suggest will work.
>
> Rowland
>

Hello!

I changed to


idmap config *: range = 2000-4500

The BUILTIN:

uid=5500(administrator) gid=5513(domain users) groups=5513(domain 
users),5500(administrator),5520(group policy creator 
owners),5519(enterprise admins),9130(servad-1 $ acronis remote 
users),6530(kladmins),5518(schema admins),5512(domain 
admins),*2001(BUILTIN\users),2000(BUILTIN\administrators)*

I think this will get better then, so do not have overlapping values


Em 14-07-2016 10:16, Carlos A. P. Cunha escreveu:
>
> Hello!! Hehehe
> Then, as already changed the values and problem had my idei and leave 
> everything as it was, the two
>
> idmap config *: range = 5000-16777216
> idmap config SERVERAD: range = 5000-33554431
>
>
> It is running more than one year and occurred only problems that I 
> changed, I know the right and leave the range as you passed, but I can 
> not have the ID change issues again (caused much headache).
>
> So I was in doubt even if the only change
> idmap config *: range > to a lower value as 2000-4500, which impacts can
I have?
> Since this is not the range of DC User.
>
> Thank you again.
>
>
> Em 14-07-2016 09:36, Rowland penny escreveu:
>> On 14/07/16 13:32, Carlos A. P. Cunha wrote:
>>>
>>> Hello!
>>> Any opinion on that?
>>> Thank you
>>>
>>>
>>> Em 13-07-2016 10:52, Carlos A. P. Cunha escreveu:
>>>>
>>>> Thank you for the explanation.
>>>> Yes, it was a mistake to leave my two faxias that way, by the
ID
>>>> exchange reason the low range will leave as it was to have no
problems
>>>> idmap config SERVERAD: range = 5000-33554431
>>>>
>>>> The range of up'm thinking of changing to something
>>>> idmap config *: range = 2000-4500
>>>>
>>>> Not to be superimposed.
>>>>
>>>> But it will it not cause problem ids trading again? Since it
was
>>>> before both inciado in 50000
>>>>
>>>> The procimo server will not make this mistake.
>>>>
>>>> Final doubt, I promise heheh :-D
>>>>
>>>> Thanks
>>>>
>>>>
>>>> Em 13-07-2016 10:32, Rowland penny escreveu:
>>>>> On 13/07/16 13:33, Carlos A. P. Cunha wrote:
>>>>>>
>>>>>> I got it, so it must have been the problem ..
>>>>>> Strange that changed it more than one month at least.
>>>>>> Having these values now, how do you think I do?
>>>>>> Leave it or change at least the idmap config * values:
range?
>>>>>>
>>>>>> I understand the parameters:
>>>>>>
>>>>>> idmap config *: range = Range of the Ids are User
system
>>>>>>
>>>>>> idmap config SERVERAD: range: DC User Range
>>>>>>
>>>>>> Thank you
>>>>>>
>>>>>>
>>>>>> Em 13-07-2016 05:16, Rowland penny escreveu:
>>>>>>> On 13/07/16 03:20, Carlos A. P. Cunha wrote:
>>>>>>>>
>>>>>>>> Can return old id, returning the old values
(changed the most
>>>>>>>> at least two months)
>>>>>>>>
>>>>>>>> idmap config *: backend = tdb
>>>>>>>> idmap config *:range = 5000-16777216
>>>>>>>> idmap config SERVERAD: backend = rid
>>>>>>>> idmap config SERVERAD: range = 5000-33554431
>>>>>>>>
>>>>>>>> The error parrou also, but I think the fact
that a group with
>>>>>>>> the same ID / GID if the User to the fact that
the idmap values
>>>>>>>> be crossing, even so I changed them (mentioned
above)
>>>>>>>>
>>>>>>>> Thank you
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Do not change the lower range value on a Samba
fileserver once
>>>>>>> set, you can raise the upper value, but there is a
proviso, the
>>>>>>> ranges must not overlap. This means your lines
above are
>>>>>>> invalid, they both start at '5000' and the
entire '*' range is
>>>>>>> inside the 'SERVERAD' range.
>>>>>>>
>>>>>>> If you change the lower range and you are using the
'rid'
>>>>>>> backend, all your IDs will change.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>
>>>>> OK, you need to find out just who owns what on your
systems, if
>>>>> you find that something belongs to a number or to a user
that it
>>>>> shouldn't, then you have problems.
>>>>>
>>>>> If you look on the Samba wiki page for setting up a domain
member,
>>>>> you will find this for using the 'rid' backend:
>>>>>
>>>>>         # Default idmap config used for BUILTIN and local
accounts/groups
>>>>>         idmap config *:backend = tdb
>>>>>         idmap config *:range = 2000-9999
>>>>>
>>>>>         # idmap config for domain SAMDOM
>>>>>         idmap config SAMDOM:backend = rid
>>>>>         idmap config SAMDOM:range = 10000-99999
>>>>>
>>>>> The ranges were chosen for a reason, the '*' range
'2000-9999' is
>>>>> large enough for any windows SID-RIDS that need mapping and
leaves
>>>>> room below the range for any local Unix users that may be 
>>>>> required. The domain range starts at '10000', this
is also the
>>>>> standard start number if you use ADUC & the Unix
Attributes tab.
>>>>> If needed, the range can be extended by raising
'99999' to
>>>>> whatever is required, this can be done whenever required,
just
>>>>> don't change '10000'
>>>>>
>>>>> If practicable, you could use the above ranges, but if it
takes
>>>>> less work to keep the ranges you are using now, then stay
with
>>>>> them, what I am trying to say is, go with whatever is
easiest,
>>>>> just make sure that ranges do not overlap.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>
>>
>> Sorry, didn't realise you were asking a question :-[
>>
>> As long as the ranges do not overlap and you can work around any 
>> possible problems (note: I am not saying you will have problems, but 
>> possibly may have problems), then, the range you suggest will work.
>>
>> Rowland
>>
>