[PATCH] Check idmap config with testparm

Volker Lendecke vl at samba.org
Thu Dec 8 09:32:26 UTC 2016

On Thu, Dec 08, 2016 at 09:01:03AM +0000, Rowland Penny wrote:
> Hmm, it sounds like you can have the same uidNumber in different
> domains, is this correct ?

Technically yes, but winbind does not cope with this properly. If
you have the same uid in multiple domains, the result of the uid2sid
operation is not specified. It very likely is deterministic, defined
by the order in which the idmap domains are mentioned in smb.conf, but
I would never make such guarantees. Also, this preference would be a
domain-wide thing. If you have these mapping collisions, you very likely
want to specify on a per-uid preference which domain is to be used.
For uid 1000 you want this to be mapped in domain A, for uid 1001 you
want this to be mapped in domain B. For my customers this was not a
problem, so I did not take care of it. If we need that functionality,
please tell me so. This will have to be a separate mapping database,
because you will have to potentially do this manually for thousands of
unix ids that have conflicting mappings in multiple domains.

With best regards,

Volker Lendecke

More information about the samba-technical mailing list