[Samba] Samba 3.0.28a onwards "allow trusted domains" has no effect?

Hari Sekhon hpsekhon at googlemail.com
Wed Sep 10 14:06:28 GMT 2008

simo wrote:
> I guess a look at the idmap_rid manpage would help then.
Ironically I read the entire samba documentation (skipping only the 
printing sections) and all the man pages too, but perhaps in overdid it 
and missed something...

The thing which surprised me is that everything worked, if testparm had 
raised any error or warning, if a service failed to accept the config, I 
would have googled and re-read the docs

What really threw me was that this worked fine in 3.0.24 and not in 
3.0.28a onwards.

> To have it working as expected on 3.0.25+ you should add the following
> parameter:
> idmap config PRIMARYDOMAIN:backend = rid
> idmap config PRIMARYDOMAIN:default = yes
> idmap config OTHERDOMAIN:backend = rid
> and remove the:
> idmap backend = rid
> and optionally (to avoid a 1000 ids hole at the start of each range):
> idmap config PRIMARYDOMAIN:base_rid = 1000
> idmap config OTHERDOMAIN:base_rid = 1000
> see the idmap_rid(8) manpage.
I've done all this and it seems to have fixed it on the newer samba 
boxes I have.

> Also note that your configuration will probably be ok when we release
> samba 3.3.0, as we modified slightly the code to avoid the 'idmap
> domains' parameters and to make back 'idmap backend' the main backend
> used. But until then your current configuration is not correct for
> 3.0.25+ and the 'idmap config' directives are ignored w/o the idmap
> domains one


Hari Sekhon

More information about the samba mailing list