[Samba] uid/gid mapping when using AD backend

Steven Cardinal steven.cardinal at gmail.com
Mon Jun 12 14:00:51 GMT 2006

I would like to have multiple Samba Domain Member servers, acting as file
servers, in my Active Directory domain. I've used the Samba-3 By Example and
the Official Samba-3 reference to get my first server running,
authenticating users to my AD domain, and mapping uid/gid using idmaps
through winbind. My problem is that, when I setup a second member server,
its idmaps aren't guaranteed to be identical to the first server. I know the
books mentin using ldap backends when I'm using a samba PDC, but what about
when I'm using AD servers for my backend?

Should I force Samba to use ldap to access AD instead of winbind? Does
Services For Unix (SFU) extend my AD schema (Win2003) to support uid/gids
that can be accessed by winbind? Should I just rsync my mapping database to
my secondary servers? Any suggestions (other than replacing my AD
environment with a Samba PDC) would be appreciated.


        unix charset = LOCALE
        workgroup = MYDOMAIN
        realm = MYDOMAIN.INT
        server string = Samba File Server
        security = ADS
        client use spnego = yes
        username map = /etc/samba/smbusers
        log level = 1
        syslog = 0
        logfile = /var/log/samba/%m
        max log size = 50
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        wins server =
        winbind separator = +
        enable privileges = yes

More information about the samba mailing list