[PATCH] Check idmap config with testparm

Volker Lendecke vl at samba.org
Thu Dec 8 08:48:25 UTC 2016

On Thu, Dec 08, 2016 at 07:58:40AM +0000, Rowland Penny wrote:
> Hi Volker, Could you explain for the idiots amongst us (i.e. me), just
> how this is supposed to work ?

The AD backend just reads the SFU attributes in Active Directory.
This is completely controlled by the administrator of the domains. I
have several customers with a global unix id allocation policy but
where the unix ids are spread across multiple domains in a more or
less random fashion. Globally unix ids are guaranteed to be unique,
but you can't tell from a range assignment which domain they belong
to. What winbind with overlapping ranges now does is just try all of
the domains until a mapping is found. There is no guarantee of a
particular order in which domains are tried, we depend on the AD
administration to gurantee uniqueness. This is for unixid2sid,
sid2unixid is simple, there we can just find the domain from the sid.


More information about the samba-technical mailing list