Deprecated but still supported "idmap backend" actually is broken

simo idra at
Wed Oct 10 16:13:28 GMT 2007

On Wed, 2007-10-10 at 18:37 +0400, Dmitry Butskoy wrote:
> The "idmap backend" parameter is now deprecated, but it seems to be 
> supported for a while.
> Actually, for 3.0.26a, it is broken.
> Consider nsswitch/idmap.c:idmap_init() :
> If "idmap domains" config is not used, then "dom_list = 
> idmap_default_domain", but the last is just "default domain" string. As 
> a result, when I specify "idmap backend = rid:FOO=1000-2000" (and leave 
> "idmap domains" empty), the correspond domain name appears as "default 
> domain", not "FOO" ... Then "getent passwd <uidnumber>" does not work etc...

No anything that does not match is asked to the default domain.
So if FOO does not match the default domain is still queried for.

The problem you have is that we don't support the multiple rid domains
experimental feature of previous samba versions. If you need multiple
rid ranges you must use the new syntax.

just use:
idmap backend = rid
and specify the idmap uid and idmap gid ranges and it should just work.

I don't see any problem in the code, if you see it please be more
specific (point at specific lines in the code that you think are wrong,
or post logs that show evidence please).

> P.S. Can the new complicated "idmap config DOMAIN ...." be edited under 

I am not sure it does, perhaps not.


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Senior Software Engineer at Red Hat Inc. <ssorce at>

More information about the samba-technical mailing list