suggestion to change idmap parameter usage [Was : Re: [Samba] winbind nss info = sfu is not so much working]

Jonathan C. Detert detertj at
Fri Apr 28 14:03:40 GMT 2006

I wanted to use winbind to get user and group (i.e. nss) info from
a Microsoft Active Directory LDAP Server that supports an RFC2307
compliant LDAP schema.  I was unable to make that work until Guenther
Deschner (see below) explained that I still had to specify idmap guid
and idmap uid ranges.

That need is not intuitively obvious.  I suggest it be removed, or at
least explained in the smb.conf manpage.  The man page
suggests that 'idmap backend' and the idmap uid/gid ranges are
mutually exclusive (except for when idmap backend = idmap_rid).

To illustrate this, consider the first sentence under the description of
the idmap backend parameter:

        idmap backend (G)
              The  purpose of the idmap backend parameter is to allow idmap to NOT
              use the local idmap tdb file to obtain SID to UID  /  GID mappings,
              but  instead to obtain them from a common LDAP backend.

If we are to use LDAP for the map, then what good is it to specify the
range of numbers that can be used in the map?  Hasn't the range already
been set by whatever process populated LDAP with the uid/gid's?  Or are
we to assume that winbind is the agent that will make the maps within
the LDAP backend?

Obviously the answers are,

'Yes, the range has already been set', and
'No, winbind is not making the maps within the LDAP backend.  Something
else must have assigned the uid/gids within the LDAP backend server.'.

So, what is the reasoning behind requiring the specification of idmap uid
and gid ranges when the backend is MsAD?

Suppose there is a good reason.

Then, what do we do with the problem of
how to specify the idmap uid/gid ranges?  Do we query LDAP to determine
the current range in order to make sure the range we specify includes
all uids/gids already set within LDAP?  That is crazy.  If we don't,
then it must not matter what ranges we specify.  So again, setting the
range seems to have no natural, reasonable purpose.

Lastly, if it really does make sense to set the idmap uid/gid
ranges, then please update the smb.conf manual.  It is very misleading
(at least in the v3.0.22 rendition).  Besides the misleading opening
paragraph (pointed out above), there is another bit that implies setting the
uid/gid ranges is not needed when using idmap backend, _except_ when the
idmap backend is set to 'idmap_rid':

        An  alternate  method  of  SID  to UID / GID mapping can be achieved
        using the idmap_rid plug-in. This plug-in uses the account  RID  to
        derive  the UID and GID by adding the RID to a base value specified.
        This utility requires that the parameter``allow  trusted domains  =
        No'' must be specified, as it is not compatible with multiple domain
        environments. The idmap uid and idmap gid ranges must also be speci-
I suspect that as the code currently stands, it would be more accurate
to remove that last sentence from the paragraph describing the idmap_rid
plugin, and put it as part of the opening paragraph.  I.e. I suspect
that the current code requires you to specify the idmap uid/gid ranges
no matter what your idmap backend is.

In any case, thank you for the wonderful software we have in samba.


Jon Detert

* Jonathan C. Detert <detertj at> [060427 12:11]:
> * Guenther Deschner <gd at> [060427 11:56]:
> > On Thu, Apr 27, 2006 at 11:21:45AM -0500, Jonathan C. Detert wrote:
> > > with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD
> > > by using winbind for authentication as well as for the source of nss info.
> > > 
> > > When winbind is configured to use its own local id maps, everything
> > > works fine.
> > > 
> > > But when i configure winbind to use 'ad' as the source of nss info,
> > > authentication fails, 'getent' commands return no results, and
> > > 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work
> > > correctly).
> -- snip --
> > > And here is how smb.conf looks when winbind is configed to use AD for
> > > nss:
> > > --------------
> > >    winbind enum groups = yes
> > >    winbind enum users = yes
> > >    winbind separator = +
> > >    winbind nested groups = yes
> > >    winbind nss info = sfu
> > >    winbind use default domain = yes
> > > 
> > >    idmap backend = ad
> > 
> > You still need to have the idmap ranges set so that winbind does not fall
> > into the "netlogon proxy only" mode. Does it work then?
> Yes, thanks!  I don't understand that at all.  What is 'netlogon proxy only'
> mose?
> If winbind is mapping a sid to the uid/gid recorded in AD via the sfu
> schema attributes, then why would I tell winbind what range it can use for
> the uids and gids that it maps the sids to?
> Also, what relationship do my idmap id ranges have to the actual values
> in AD for the msSFU30UidNumber and msSFU30GidNumber attributes?  Do I
> need to ensure that my idmap id ranges match the ranges of values used
> in AD for msSFU30UidNumber and msSFU30GidNumber?
Happy Landings,

Jon Detert
IT Systems Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.

More information about the samba mailing list