suggestion to change idmap parameter usage [Was : Re: [Samba] winbindnss info = sfu is not so much working]

Volker Lendecke Volker.Lendecke at SerNet.DE
Sun Apr 30 11:03:47 GMT 2006

On Fri, Apr 28, 2006 at 11:12:06AM -0400, William Jojo wrote:
> There is no implied mutual exclusion, it allows for a container in LDAP to
> be used instead of the winbindd_idmap.tdb file in var/locks. The idea it to
> share this among several servers. The values would still be chosen on a
> first come, first served basis.

This is not 100% accurate. We view the idmap backend as
authoritative, but we always store what we find in LDAP or
AD in the local tdb file for speed. In a sense, the tdb is a
cache that never expires as id mappings are meant to never

I'm trying to clarify the smb.conf entry. Would the
following wording be more appropriate?

>> The purpose of the idmap backend parameter is to allow idmap
>> to NOT use the local idmap tdb file to obtain SID to UID /
>> GID mappings for as yet unknown SIDs, but instead to obtain
>> them from a common backend.  This way all domain members and
>> controllers will have the same UID and GID to SID mappings.
>> This avoids the risk of UID / GID inconsistencies across
>> UNIX / Linux systems that are sharing information over
>> protocols other than SMB/CIFS (ie: NFS).

> You can assign the values yourself, to be certain, but without IDMAP these
> were algorithmic until 3.0.23. (uid * 2 + base <or> gid * 2 + base; bases
> defaulted to 1000 and 1001)

The algorithmic fallback is only used for the reverse
mapping, namely creating SIDs from unix id's in cases where
Samba is authoritative. Winbind is used to find unix ID's
that are given to Samba by Windows.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba mailing list