[PATCH] Check idmap config with testparm

Rowland Penny repenny241155 at gmail.com
Thu Dec 8 09:46:49 UTC 2016

On Thu, 8 Dec 2016 10:32:26 +0100
Volker Lendecke <vl at samba.org> wrote:

> On Thu, Dec 08, 2016 at 09:01:03AM +0000, Rowland Penny wrote:
> > Hmm, it sounds like you can have the same uidNumber in different
> > domains, is this correct ?
> Technically yes, but winbind does not cope with this properly. If
> you have the same uid in multiple domains, the result of the uid2sid
> operation is not specified. It very likely is deterministic, defined
> by the order in which the idmap domains are mentioned in smb.conf, but
> I would never make such guarantees. Also, this preference would be a
> domain-wide thing. If you have these mapping collisions, you very
> likely want to specify on a per-uid preference which domain is to be
> used. For uid 1000 you want this to be mapped in domain A, for uid
> 1001 you want this to be mapped in domain B. For my customers this
> was not a problem, so I did not take care of it. If we need that
> functionality, please tell me so. This will have to be a separate
> mapping database, because you will have to potentially do this
> manually for thousands of unix ids that have conflicting mappings in
> multiple domains.
> With best regards,
> Volker Lendecke

I think we need to decide one way or the other, at the moment on this
Samba wiki page:


Under the heading:

Advantages and Disadvantages of the ad Back End

and sub heading:


It says this:

If the Windows Active Directory Users and Computers (ADUC) program is
not used, you have to manual track ID values to avoid duplicates.

So with one hand we are saying it is okay to use the
msSFU30Max*idNumber attributes, but on the other hand it isn't if you
use samba-tool. This is a bit inconsistent.


More information about the samba-technical mailing list