SOLVED Unable to join AD after upgrade from 9.10 to 11.1

Mar 19, 2018
If this is in the wrong forum as this seems to be an upgrade issue, I apologize. This is where I found most of the non-answers to my problem when searching, so I'm hoping that this is the best place to help others with a similar issue. I also didn't find this specific problem reported in the forums with a couple quick searches, so sorry if this has been covered before.

I just made the jump from 9.10 to 11.1, and I was happy with how the upgrade went in almost all areas. However, I found that the connection to my Active Directory didn't seem to be working. At first I figured upgrades to Samba and friends may have changed or broken things like Kerberos tickets or machine account credentials, so I wiped everything out as best as I could and started over from scratch. I was seeing messages that the join was successful (I could even get list of users using 'net ads user'), but Samba refused to start after the join. If I disabled AD, I could get the SMB service to start. I kept going back and forth, getting frustrated because I couldn't find anything in the logs. I even cleared out /var/log/samba4 and found that nothing was even generating a log when trying to start SMB after joining the domain.

Finally, I tried running testparm; lo and behold there was an error:
ERROR: The idmap range for the domain * (tdb) overlaps with the range of OCONNICICH (rid)!

The dump of the config showed this:
idmap config oconnicich: range = 20000-9000000000
idmap config oconnicich: backend = rid
idmap config *: range = 90000001-100000000
idmap config * : backend = tdb

I'm honestly not sure what my smb.conf file looked like before the upgrade, but I used the GUI to change the max for my domain from 9 billion to 90 million and magically everything started working again.
