If you set up a config like this: [root@client78 ~]# testparm -s Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] debug pid = Yes kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 250000 realm = WIN23.LOCAL security = ADS template homedir = /home/%U@%D template shell = /bin/bash winbind offline logon = Yes winbind refresh tickets = Yes workgroup = WIN23 idmap config * : rangesize = 100000 idmap config * : range = 100000-200000 idmap config * : backend = autorid Samba will fail to get ID for domain user: [root@client78 ~]# wbinfo -u | grep winuser WIN23\winuser [root@client78 ~]# wbinfo -i WIN23\\winuser failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user WIN23\winuser The reason is that the autorid range is too small. We need twice the amount. Also the manpage is wrong.
/var/log/samba/log.winbindd-idmap: High uid-low uid difference of 100001 is not a multiple of the rangesize 100000, limiting ranges to lower boundary number of 1 The range needs to be twice as big as the rangesize. We need to map BUILTIN too!
Patch will follow ...
$ ./bin/testparm -s | grep "idmap config" idmap config * : rangesize = 10000 idmap config * : range = 10000-19999 idmap config * : backend = autorid $ ./bin/wbinfo --name-to-sid BUILTIN/Administrators S-1-5-32-544 SID_ALIAS (4) $ ./bin/wbinfo --sid-to-gid S-1-5-32-544 10000 $ ./bin/wbinfo --name-to-sid ADDOMAIN/alice S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) $ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid If only one range is configured we are either not able to map users/groups from our primary *and* the BUILTIN domain. We need at least two ranges to also cover the BUILTIN domain!
This bug was referenced in samba master: fe84ae5547313e482ea0eba8ddca5b38a033dc8f db6d4da3411a910e7ce45fe1fecfabf2864eb9f4 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de
Created attachment 17167 [details] patch for 4.16
Created attachment 17168 [details] patch for 4.15
Comment on attachment 17167 [details] patch for 4.16 LGTM, RB+
Comment on attachment 17168 [details] patch for 4.15 LGTM, RB+
Jule, please add to v4.15 and v4.16, thanks!
Pushed to autobuild-v4-{16,15}-test.
This bug was referenced in samba v4-15-test: 25778ada3ad60391f72206ff5dc43fc82f814547 8d35177370c869cf5f6bc7a750fa430a7378b1e9 49779a9f86fa933397fb1fb5dd5f02b65631ca81
This bug was referenced in samba v4-16-test: 0d27228e75c6cb30394306dff1d5764e8183ae4c be4e42f01fb958a0b7dbcd2d4ebc89991773ce49 48929ba6634c93174f9f863d9e9f59d2add4d720
Closing out bug report. Thanks!
This bug was referenced in samba v4-16-stable (Release samba-4.16.0rc4): 0d27228e75c6cb30394306dff1d5764e8183ae4c be4e42f01fb958a0b7dbcd2d4ebc89991773ce49 48929ba6634c93174f9f863d9e9f59d2add4d720
This bug was referenced in samba v4-15-stable (Release samba-4.15.6): 25778ada3ad60391f72206ff5dc43fc82f814547 8d35177370c869cf5f6bc7a750fa430a7378b1e9 49779a9f86fa933397fb1fb5dd5f02b65631ca81