autorid broken in samba 4.9?

Nathaniel W. Turner nate at
Wed Apr 8 17:55:37 UTC 2020

I have a configuration that is working correctly with samba 4.8 (in CentOS
7.6). When I apply the same basic configuration to a system running samba
4.9 (CentOS 7.7), I see a very strange behavior: The ID mapping for trusted
domains does not work right.

Both systems are joined to the domain tc84.local (TC84), which has a forest
trust with TC83, and they have identical smb.conf files. Here's the idmap
related bit:

# testparm 2>/dev/null </dev/null | grep idmap
        idmap config * : range = 1000000-19999999
        idmap config * : backend = autorid

Here's the samba 4.8 system:

[root at kvm7246-vm005 ~]# wbinfo -i TC84\\administrator
TC84\administrator:*:1100500:1100513::/home/administrator at TC84:/bin/bash
[root at kvm7246-vm005 ~]# wbinfo -i TC83\\administrator
TC83\administrator:*:1200500:1200513::/home/administrator at TC83:/bin/bash

And here's the same config on a samba 4.9 system:

[root at kvm7246-vm008 ~]# wbinfo -i TC84\\administrator
TC84\administrator:*:2000500:2000513::/home/administrator at TC84:/bin/bash
[root at kvm7246-vm008 ~]# wbinfo -i TC83\\administrator
TC83\administrator:*:10000:10000::/home/administrator at TC83:/bin/bash

The UID 10000 is not within the idmap configured range!

I looked a the idmap_autorid(8) manpage, and very very quickly scanned the
source diffs between these versions, but nothing jumps out at me. Is this a
known issue, or is there some new idmap configuration setting that's now


More information about the samba-technical mailing list