idmap_ad group id mapping.

Michael Adam obnox at
Wed Jul 11 16:20:57 MDT 2012

Hi Nimrod,

Nimrod Sapir wrote:
> Hi
> When using id mapping with SFU for domain users, I've noticed that Samba 
> tries to map the SID of the group defined as "primary group" for that user 
> to a GID. However, there is no guarantee that this group has a gid 
> defined, and if it does not, the mapping fails and the user cannot access 
> the share.
> However, in Active directory with SFU extension there is also the "primary 
> group name/GID" field which always contains a GID or a group name with GID 
> defined, and must be defined for a user which has UID in the scheme. So, I 
> guess that there should be a way to use this field instead of the "primary 
> group" field in the "member of" tab. 
> I believe there is also an open samba bug detailing the same problem: 
> Is that an expected behavior? Is this a configuration issue? open bug?

Yes, this is actually how it should work:
Samba takes the windows user token and turns it into
a unix token. Here the expected thing is to turn the windows
groups into unix groups (by id mapping) one-to-one.

I would say that the windows admins should give the
user a primary (windows) group that also carries a gidnumber
unix attribute. I can't see why a windows admin would give
the user a primary windows group (maybe w/o gid number) and
primary gid number in the unix attributes that refers to a
different windows group or to no windows group at all.

But it seems to be a rather frequent request.
If it is really important, then we could make it configurable
to let samba choose the primary gid from the windows user
sfu attributes as the unix primary gid.

Note on your config below:
The ranges for "*" and "SMBTEST" overlap (by 1 id - 200000).
You should exclude that from one of the ranges.

Cheers - Michael

> I am using Samba build  3.6.0-GIT-5b1b65c-devel. The relevant entries in 
> my smb.conf file are:
>    security = ads
>    realm = SMBTEST.XIV.COM
>         winbind enum users = no
>         winbind enum groups = no
>         winbind use default domain = no
>         idmap config * : range = 100000-200000
>         idmap config * : backend = tdb
>         idmap config SMBTEST:backend = ad
>         idmap config SMBTEST:schema mode = rfc2307
>         idmap config SMBTEST:range = 200000 - 300000
> Thanks!
> Nimrod Sapir
> IBM - XIV, Israel
> NAS Development Team
> Office: +972-3-689-7763
> Cell:   +972-54-7726-320
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list