idmap_ad group id mapping.

Nimrod Sapir NIMRODS at
Wed Jul 11 10:46:33 MDT 2012


When using id mapping with SFU for domain users, I've noticed that Samba 
tries to map the SID of the group defined as "primary group" for that user 
to a GID. However, there is no guarantee that this group has a gid 
defined, and if it does not, the mapping fails and the user cannot access 
the share.

However, in Active directory with SFU extension there is also the "primary 
group name/GID" field which always contains a GID or a group name with GID 
defined, and must be defined for a user which has UID in the scheme. So, I 
guess that there should be a way to use this field instead of the "primary 
group" field in the "member of" tab. 

I believe there is also an open samba bug detailing the same problem:

Is that an expected behavior? Is this a configuration issue? open bug?

I am using Samba build  3.6.0-GIT-5b1b65c-devel. The relevant entries in 
my smb.conf file are:

   security = ads
   realm = SMBTEST.XIV.COM
        winbind enum users = no
        winbind enum groups = no
        winbind use default domain = no
        idmap config * : range = 100000-200000
        idmap config * : backend = tdb
        idmap config SMBTEST:backend = ad
        idmap config SMBTEST:schema mode = rfc2307
        idmap config SMBTEST:range = 200000 - 300000

Nimrod Sapir
IBM - XIV, Israel
NAS Development Team
Office: +972-3-689-7763
Cell:   +972-54-7726-320
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1338 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list