SUSE Linix 11.2 LDAP to AD

Pavetto, David david.pavetto at
Thu Jul 11 08:59:24 MDT 2013

So David

I did use the Yast to set this up and yes we are using winbind, since I did use yast to set this up initially, so is there anything I need to do to remove idmap_tdb or will this just be completed within the samba.conf file, Just asking, want to understand going forward since we have a ton of servers to install and just want to script this out

Thanks for your patients


-----Original Message-----
From: David Disseldorp [mailto:ddiss at] 
Sent: Wednesday, July 10, 2013 12:35 PM
To: Pavetto, David
Cc: samba-technical at; Slaga, Joseph; Crawford, Vicki; Janssen, Brenda; Sogge, Jane; Spellman, Ron
Subject: Re: SUSE Linix 11.2 LDAP to AD

Hi Dave,

On Wed, 10 Jul 2013 16:04:10 +0000
"Pavetto, David" <david.pavetto at> wrote:

> I work for HP as a engineer/architect
> I have been working on a project that needs or wants LDAP from a SUSE Linux 11.2 to point to AD 2012. Authentication and automount works well, but we are having an issue passing the UID and GID from AD to the Linux serves. Every time I login I get a UID over 10000 the same with the UID.
> What I need is for the GID and UID to match what is AD.
> I am using Samba for authentication
> Is there a file that states this, beside the samba.conf file
> Has anyone come across this before and is there a fix for it.

It's difficult to provide a solution without seeing more configuration
details. I'll assume that you're using winbind for AD authentication and

When configured via YaST, Samba uses the idmap_tdb idmap backend. This
backend does not take into account the rfc2307 UID and GID attributes
defined in AD, instead it allocates these values to corresponding Windows
SIDs within the configured idmap range on a first-come first-served basis.

idmap_ad can instead be configured to pull these values from AD. See the
idmap_ad man page for details.

Cheers, David

More information about the samba-technical mailing list