similar to: SOLVED: BUILTIN\Administrators - failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND

> You may get away with using the 'rid' backend, but this will have to be> your choice, but whatever you choose, I am sure we can help you get to> a working domain.> > RowlandSo I have an example. We have file and print server based on CentOS 7 with Samba 4.4.4. As wiki said (https://wiki.samba.org/index.php/Setting_up_Automatic_Printer_Driver_Downloads_for_Windows_Clients)

Thank you very much for clarifying the ID mapping "magic";) > You do not need 'posixgroup', it is an auxiliary objectclass of group, you can add any of the rfc2307 attributes without it. Well, is there any option to remove it? Because "posixgroup" is on every group that was migrated from Samba 3. And I cannot edit this attribute in ADUC (delete button is grayed).

I do think its a classic upgrade from 3.x to 4.x that causes this. And the samba 3 was a samba with smbldap-tools or configured with something like : net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d ( as shown here https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html ) > -----Oorspronkelijk bericht----- > Van: samba

Ah, so you did find a bug in the classic upgrade :-) great, one less in the future samba ;-) One extra to remember. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: woensdag 6 september 2017 16:40 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba]

Well, we are getting somewere...;) >It is probably 'greyed' out because no Windows tools use it or will add it. You will probably need to use Unix tools (ldb or ldap) to remove>them, but you can if you so wish ignore them. What you should never do is to rely on them being there, because they may or may not be there.Ok, I'll let it be there> You need to remove the gidNumber

>When you provision a new domain, it is set 3000000, but, seemingly, when you run the classicupgrade it gets sets to a lower number (never actually run a classicupgrade) based on what is in your old domain. > Not sure what to suggest here, do you feel up to sending me (offlist) a copy of your idmap.ldb ? > >Rowland Thank you again, Rowland, for your time. I think that different ID

Rowland, Are (one) these not an option for him to correct this? --allocate-uid Get a new UID out of idmap --allocate-gid Get a new GID out of idmap --set-uid-mapping=UID,SID Create or modify uid to sid mapping in idmap --set-gid-mapping=GID,SID Create or modify gid

To Rowland: > This was perfectly common, nobody thought this would ever be a problem,mainly because you had to have a user or group in /etc/passwd> or /etc/group mapped to a Samba. Now with AD, you do not need a user or group in /etc/passwd or /etc/group, so any user or group that uses the RID as a Unix ID is> probably too low and is denying the use of any local Unix users Yes, but where

Hello everyone. I'm trying to fix sysvol rights, because i see errors in output of /usr/bin/samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/samdom.svmetal.cz/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}

> I feel this all has something to do with the classicupgrade, the command works for me, does 'wbinfo --sid-to-gid="S-1-5-32-544"' work ?Yes. Take a look:wbinfo --sid-to-gid="S-1-5-32-544" 15538wbinfo --gid-info=15538 BUILTIN\administrators:x:15538: > I haven't received it yet, but will examine and comment on it when I do.I sent it to <rpenny at

>On Wed, 06 Sep 2017 11:24:17 +0200>Jiří Černý via samba <samba at lists.samba.org ( https://lists.samba.org/mailman/listinfo/samba) > wrote:>>> I feel this all has something to do with the classicupgrade, the>> command works for me, does 'wbinfo --sid-to-gid="S-1-5-32-544"'>> work ?>> Yes. Take a look:wbinfo

Yes, that's exactly what I've done.Ok, my group has name "IT admins", but logic is same;)Thank you. However I have one more problem. If I create new group or user and give it UID/GID, this is immediately reachable on linux server. id user, or getent group/passwd and also wbinfo -u/-g/-i can list info about it. But if I assign group to user (or deassign), it spends a lot of time

On Wed, 06 Sep 2017 10:24:08 +0200 Jiří Černý via samba <samba at lists.samba.org> wrote: > Thank you again, Rowland, for your time. > I think that different ID ranges in my domain is ok, at lest we will > survive it, Is it desired behavior, as I assume, that getent group > cannot list Domain Admins (and other groups) without setting UNIX GID. > GPO processing is now ok, at

Thank you both, Rowland and Louis. I'll try to answer you both and give you more info about our domain. Generally: In the past, we have Samba 3.5 NT4 domain on SLES server (designed ages before, never upgraded). In 2015 I finally decided to migrate to Samba 4 AD. In those day it was 4.2. samba-tool ntacl sysvolcheck was ok, no errors. AD worked (and working) as expected. This summer, I

Hai, I leave the advice about the uid/gid numbering to Rowland, i can not give a good advice on that. The script was made in such a way that it should not matter what uid/gids are where used. The script looks them up for you, but it must be error free so we are sure what is set is correct. If you look in the script, you see the four SID. DC_SERVER_OPERATORS="S-1-5-32-549"

I have a brand-new install of Debian 8 without systemd and a freshly-built Samba 4 install with issues. I created this as a standalone AD DC, setup group policies, etc and then took it to the client location. Now nothing works. I keep getting "RPC server unavailable" on Windows machines and trying to list shares on the DC itself results in NT_STATUS_INVALID_SID. I am lost as there are

On Wed, 26 Oct 2016 17:27:37 -0400 Ryan Ashley via samba <samba at lists.samba.org> wrote: > I guess I should note that it seems like the high SIDs will resolve, > except for 300000. Below is an example. > > root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/ > total 16 > drwxrws---+ 4 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 Policies > drwxrws---+ 2 MEDARTS\reachfp

I guess I should note that it seems like the high SIDs will resolve, except for 300000. Below is an example. root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/ total 16 drwxrws---+ 4 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 Policies drwxrws---+ 2 MEDARTS\reachfp 3000000 4096 Oct 17 17:45 scripts root at dc01:~# l /var/lib/samba/sysvol/medarts.lan/Policies total 16 drwxrws---+ 5 MEDARTS\reachfp

Wait, now I'm confused. Idmap lines do not need to be set up on the DCs? Then how does windows figure's out the ids in the Unix Attributes tab? I thought you needed both rfc2307 and idmap on the DC and the members. Em 27/10/2016 05:39, Rowland Penny via samba escreveu: > On Wed, 26 Oct 2016 17:27:37 -0400 > Ryan Ashley via samba <samba at lists.samba.org> wrote: >

On Fri, 9 Dec 2016 11:11:56 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > From: "Stefan G. Weichinger via samba" <samba at lists.samba.org> > To: samba at lists.samba.org > Subject: Re: [Samba] Samba on Debian 8; NT4 domain, win10 > Date: Fri, 9 Dec 2016 11:11:56 +0100 > Reply-To: "Stefan G. Weichinger"