Samba4 idmap using uidNumber/gidNumber

Stefan (metze) Metzmacher metze at
Sun Jun 10 15:30:44 MDT 2012

Hi Andrew,

> Attached is a patch that I know you and a number of our users will be
> interested in.  This patch makes Samba4 honour the uidNumber/gidNumber
> attributes in the directory, when present. 
> This is done in a simple manner - we simply search the directory first.
> No attempt at resolving conflicts with the idmap.ldb is done, the
> directory simply wins. 
> I haven't had a chance to test this yet (just got it to compile), but if
> you wish to test/comment in a non-production environment, it will assist
> us in bringing this important functionality to the Samba 4.0 release.
> Beyond this, the next step will be to make the 'samba-tool domain
> samba3upgrade' tool populate these mappings, rather than idmap.ldb.
> Michael,
> If you have any thoughts or comments on how this is done, please let me
> know.  I would have liked to call into idmap_ad directly, but it is tied
> too much into the s3 winbind to use directly, so I've instead just tried
> to make it compatible.  The additional behaviour that I can see is that
> there is no idmap range specified (all uidNumber values in the directory
> are accepted) and we fall back to an ldb mapping on failure to find an
> AD mapping.

I think we should not mix this, there needs to be a configuration option
to trigger the new behavior. For ID_MAP_BOTH we should check if the object
has uidNumber and gidNumber on the same object with the same value.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list