SOLVED Unable to join AD after upgrade from 9.10 to 11.1

Not open for further replies.


Mar 19, 2018
If this is in the wrong forum as this seems to be an upgrade issue, I apologize. This is where I found most of the non-answers to my problem when searching, so I'm hoping that this is the best place to help others with a similar issue. I also didn't find this specific problem reported in the forums with a couple quick searches, so sorry if this has been covered before.

I just made the jump from 9.10 to 11.1, and I was happy with how the upgrade went in almost all areas. However, I found that the connection to my Active Directory didn't seem to be working. At first I figured upgrades to Samba and friends may have changed or broken things like Kerberos tickets or machine account credentials, so I wiped everything out as best as I could and started over from scratch. I was seeing messages that the join was successful (I could even get list of users using 'net ads user'), but Samba refused to start after the join. If I disabled AD, I could get the SMB service to start. I kept going back and forth, getting frustrated because I couldn't find anything in the logs. I even cleared out /var/log/samba4 and found that nothing was even generating a log when trying to start SMB after joining the domain.

Finally, I tried running testparm; lo and behold there was an error:
ERROR: The idmap range for the domain * (tdb) overlaps with the range of OCONNICICH (rid)!

The dump of the config showed this:
idmap config oconnicich: range = 20000-9000000000
idmap config oconnicich: backend = rid
idmap config *: range = 90000001-100000000
idmap config * : backend = tdb

I'm honestly not sure what my smb.conf file looked like before the upgrade, but I used the GUI to change the max for my domain from 9 billion to 90 million and magically everything started working again.
Not open for further replies.