Group defines by the domain controller: SID: S-1-5-21-283016044-3387516373-1648638545-513 Name: domänen-benutzer OK: >wbinfo -s S-1-5-21-283016044-3387516373-1648638545-513 AD\domänen-benutzer 2 OK: >wbinfo -Y S-1-5-21-283016044-3387516373-1648638545-513 100513 not OK: >wbinfo -G 100513 S-1-5-21-1492033937-915934465-2153502558-513 Should be (at least I think so): S-1-5-21-283016044-3387516373-1648638545-513 But: >wbinfo -Y S-1-5-21-1492033937-915934465-2153502558-513 100513 not OK: >wbinfo --gid-info 100513 failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for gid 100513 and consequently not OK: >ls -la drwx------ 2 mletzgus2 100513 4096 Apr 25 22:30 mletzgus2 (should resolve to group name...) smb.conf: [global] netbios name = uche-pc1-ml server string = uche-pc1-ml interfaces = lo eth0 socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY hosts allow = 129.70.70.0/24 129.70.172.0/23 127.0.0.1/8 realm = ad.uni-bielefeld.de workgroup = ad security = ads template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = yes winbind refresh tickets = yes winbind offline logon = true winbind enum users = no winbind enum groups = no allow trusted domains = No idmap config *: backend = rid idmap config *: range = 100000-1000000 wins server = 129.70.4.79 129.70.4.80 129.70.4.106 time server = yes unix charset = utf8 load printers = no syslog only = yes min protocol = NT1 create mask = 0600 directory mask = 0700 [homes] Valid Users = @AD\uche-pc1 read only = no browseable = Yes What's wrong here? Is it a kind of numeric problem because of my high RID-offset?
Maybe this is related to Bug 6605?
two things: 1) "idmap config *: backend = rid" is not valid. default backend has to be allocatable. current man page also mentions that. 2) the group information retrieval of samba includes group memberships, which is not always allowed for winbind. only authenticated users can get that information for themselves. You might be lucky to get the ID resolution if you set "winbind expand groups = 0" and/or if you use "net setauthuser ...". The authuser one has to be considred more as a hack and should not be required. For Client machines everything should be okay anyways...