Following up... (samba list: please see https://bugs.debian.org/1002059)
The original report was for a system running buster (samba 2:4.9.5+dfsg-5+deb10u1). I managed to get things working again with 2:4.9.5+dfsg-5+deb10u2 by specifying a mapping for the default '*' idmap domain: idmap config * : backend = tdb idmap config * : range = 4000000000-4294967295 I had not specified this before and things still worked. It's still unclear to me what it was in the update that broke things, but such a configuration was probably not intended to be supported anyway. I also added, for the domain I am interested in idmapping idmap config <domain> : base_rid = 0 but I doubt that will have made much difference. For clarity, the affected machines I am reporting on - do not run kerberos - are just 'domain member servers', joined to a domain via 'net rpc join' - do run winbindd - use 'passwd: files sss' and 'group: files sss' in /etc/nsswitch.conf Kind regards Vince
