similar to: idmap configuration after initial deployment needed?

I forgot about ldbsearch. Here is a dump of xid numbers. root at dc01:~# ldbsearch -H /var/lib/samba/private/idmap.ldb | grep xidNumber xidNumber: 3000028 xidNumber: 3000013 xidNumber: 3000033 xidNumber: 3000003 xidNumber: 3000032 xidNumber: 3000023 xidNumber: 3000019 xidNumber: 3000010 xidNumber: 65534 xidNumber: 3000031 xidNumber: 3000022 xidNumber: 3000026 xidNumber: 3000017 xidNumber: 3000027

Greetings, All! I've discovered a nasty mismatch in my recently upgraded domain. It seems that a number of builtin groups have mappings in idmap.ldb that overlap with posixAccount mappings in the sam.ldb. Namely, # file: var/lib/samba/sysvol/ads.example.com/scripts/ # owner: root # group: 544 user::rwx user:root:rwx group::rwx group:544:rwx group:30000:r-x group:30001:rwx

On Mon, Dec 1, 2014 at 11:39 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > I understand where you are coming from, I have written my own scripts to > maintain an S4 AD DC but as you say the documentation is a bit limited, so > I had to search and experiment to find out how to do things. The > documentation is getting better, but it will take time, if you have any

Il 16/02/18 13:43, Rowland Penny via samba ha scritto: > On Fri, 16 Feb 2018 13:10:16 +0100 > Francesco Malvezzi via samba <samba at lists.samba.org> wrote: > >> >> So just to recap: there were two problems: >> >> 1) the syntax mistake in smb.conf pointed up before; > > This wouldn't have helped. > >> 2) a logical mistake because wbinfo

On 03/07/15 15:18, Ryan Ashley wrote: > The only Unix client I can think of would be the Buffalo NAS. It runs > Samba3 and hosts various shares via SMB. DNS is handled by BIND9 on the > Samba4 DC. DNS does work and the domain name resolves to the IP address > of the server. DHCP is also handled on the DC. As for the GPO's, they're > in the correct place as far as I can tell.

Rowland, no domain user can authenticate on any system and running sysvolreset followed by sysvolcheck results in a crash. If the sysvol permissions are correct, sysvolcheck does not crash. If I attempt to join a NAS or workstation to the domain I get NT_STATUS_INVALID_SID. Researching these symptoms turns up a thread about a corrupt idmap.ldb where a group SID and user SID may be the same or

On 23 November 2017 at 14:16, Rowland Penny <rpenny at samba.org> wrote: > On Thu, 23 Nov 2017 14:01:03 +0200 > Ian Coetzee via samba <samba at lists.samba.org> wrote: > > > On 22 November 2017 at 17:45, Rowland Penny <rpenny at samba.org> wrote: > > > > > On Wed, 22 Nov 2017 16:01:17 +0200 > > > Ian Coetzee via samba <samba at

On 20/02/15 21:27, Davor Vusir wrote: > > Rowland Penny skrev den 2015-02-19 18:15: >> OK, there is a discussion over on samba-technical about nss_winbind >> and the question about Administrator being mapped to 0 was raised. >> Now I have always thought that it should, but in fairness, I decided >> to see what happens when it isn't, so I removed Administrator

On 03/07/15 15:58, Ryan Ashley wrote: > They left a PC on, so I got the info. The info pissed me off, but not > because of the issue. This time it worked flawlessly, but I got the > error from the event log from prior attempts. First, today's results. > > C:\Users\reachfp.KIGM>gpupdate > Updating Policy... > > User Policy update has completed successfully. >

Back on February 28, 2018, I started a thread "User permissions of profile/home directory lost" describing a problem occurring with my wife's user account. Since that time the random problem has persisted so I turned on some debugging. I have been able to determine that somehow her account idmap is broken. Here is the entry for my wife's SID as found in the idmap.ldb file

Rowland, Thank you for the quick response. I have just run net cache flush no change in problem. I have dumped the idmap.ldp using ldbsearch -H /var/lib/samba/private/idmap.ldb > idmap.txt and did some sorting, that is how I found the duplicates. On 1/13/2017 11:09 AM, Rowland Penny via samba wrote: > samba-tool ntacl > >sysvolreset

On Tue, Dec 2, 2014 at 11:15 AM, Rowland Penny <rowlandpenny at googlemail.com> wrote: > >> Doh, I missed that, well spotted Steve. > > Do not alter idmap.ldb, leave it alone, use RFC2307 attributes where > possible and join my campaign to get winbindd to pull all the attributes :-D > So, the xidNumber isn't needed? I'm going to be use SSSD for local auth,

I've spent some time updating, upgrading and generally consolidating an old Samba AD. I've managed to remove a very old unsupported (4.2) Samba AD DC following migration to a couple of new DC's - that seems to have worked out OK. Workstation logons and GPO's working fine. I'm now left with one problem after joining a new Samba (4.5.12) member server to the domain for file

On 02/07/15 16:55, Ryan Ashley wrote: > Rowland, here is what I found in the ldb. > > # record 68 > dn: CN=S-1-5-32-544 > cn: S-1-5-32-544 > objectClass: sidMap > objectSid: S-1-5-32-544 > type: ID_TYPE_BOTH > xidNumber: 3000000 > distinguishedName: CN=S-1-5-32-544 > > # record 70 > dn: CN=S-1-5-32-549 > cn: S-1-5-32-549 > objectClass: sidMap >

On 25.02.2019 10:20, Rowland Penny via samba wrote: > On Mon, 25 Feb 2019 09:24:24 +0100 > Viktor Trojanovic via samba <samba at lists.samba.org> wrote: > > > >>>> I'm confused.. how is the choice of the idmap backend related to an >>>> AD DC use case? >>> Only in the case of wanting the same ID everywhere. >> In my understanding, the

On 1/13/2017 3:30 PM, Rowland Penny wrote: > On Fri, 13 Jan 2017 15:20:52 -0500 > Bob Thomas <bthomas at cybernetics.com> wrote: > >> On 1/13/2017 1:45 PM, Rowland Penny wrote: >>> On Fri, 13 Jan 2017 13:30:14 -0500 >>> Bob Thomas <bthomas at cybernetics.com> wrote: >>> >>>> Rowland, >>>>>> Thank you for the quick

OK, there is a discussion over on samba-technical about nss_winbind and the question about Administrator being mapped to 0 was raised. Now I have always thought that it should, but in fairness, I decided to see what happens when it isn't, so I removed Administrator from idmap.ldb and restarted samba. Before restarting samba, I checked a few things, on the DC, getfacl returned this for

Hi everyone The s4 Domain Users group has xidNumber: 100 and the Linux users group has gidNumber=100. I've been mapping xidNumber <--> gidNumber for s4 posix groups I've added myself, but this causes a name collision for Domain Users. This also has implications on Linux as local users have access to the group owned stuff of Domain users. I've changed the xidNumber in

On 10/09/2016 02:51 AM, Rowland Penny via samba wrote: > Have you by any chance got another 3001108 'xidNumber' in idmap.ldb ? > If you give a user a 'uidNumber' attribute, the contents of this will be > used instead of the 'xidNumber' in idmap.ldb, hence you do not need to > (and probably shouldn't) use numbers in the '3000000' range. I managed to

GPO's fail to apply on Windows clients and sysvol permission errors are logged. DC is Samba 4.13.0 created via a classic upgrade. Logged sysvol errors (uid 5025 is the system I ran gpupdate on, don't know what uid 3000011 refers to): =================================== Oct 25 12:17:09 srvr01 smbd[3762]: [2020/10/25 12:17:09.695062, 0]