[Samba] idmap backend = rid : moving from samba 3.2 to 3.4 breaks 3.2 idmap RID config

Samba Guy samba.pedant at gmail.com
Thu Feb 4 14:19:03 MST 2010

Hi samba folks,

We have upgraded samba 3.2 to samba 3.4 and it has broken our idmap RID
backend config.

The below idmap configuration was being used for samba 3.2 with two domains:

idmap domains = QA2K3192, QA2K3SUB19
idmap config QA2K3SUB192:range = 2000000 - 2999999
idmap config QA2K3SUB192:base_rid = 0
idmap config QA2K3SUB192:backend = rid
idmap config QA2K3192:range = 1000000 - 1999999
idmap config QA2K3192:base_rid = 0
idmap config QA2K3192:backend = rid

And had the following results:

Linux:~ # wbinfo --group-info='qa2k3192\domain users'
QA2K3192\domain users:x:1000513

Linux:~ # wbinfo --group-info='qa2k3sub192\domain users'
QA2K3SUB192\domain users:x:2000513

 Which is correct and reports the correct information consistently for this

We do not obtain the same idmap results with the same idmap backend (RID)
with samba 3.4:

idmap backend = tdb|
idmap uid = 90000000 - 99999999
idmap gid = 90000000 - 99999999
idmap config QA2K3SUB192:range = 2000000 - 2999999
idmap config QA2K3SUB192:backend = rid
idmap config QA2K3SUB192:default = yes
idmap config QA2K3192:range = 1000000 - 1999999
idmap config QA2K3192:backend = rid
idmap config QA2K3192:default = yes

*Linux:~ # service smb restart
Shutting down Samba SMB daemon                                        done*

*Starting Samba SMB daemon                                             done*

*Linux:~ # service nmb restart*

*Shutting down Samba NMB daemon                                        done*

*Starting Samba NMB daemon                                             done*

*Linux:~ # service winbind restart|*

*Shutting down Samba  WINBIND daemon                                   done*

*Starting Samba WINBIND daemon                                         done*

*Linux:~ # net cache flush*

Linux:~ # wbinfo --group-info='qa2k3192\domain users'
QA2K3192\domain users:x:90000000

Linux:~ # wbinfo --group-info='qa2k3sub192\domain users'
QA2K3SUB192\domain users:x:90000001

Those groups should not be in that range!

We do not want to use the idmap uid =  or idmap gid = setting as it dumps
some domain ids in the wrong range, yet we seem forced to add those to the
config in samba 3.4 - I understand idmap hash is superior but for our setup
we cant migrate to this new paradigm due to the amount of data currently
written to fileserver with idmap RID based ACLs.

Can anyone provide the following:

Documentation of how to configure idmap backend = rid with two domains using
samba 3.4
Configuration Example:

One win2k3 domain with the range of 1000000-1999999 and the other child
domain with a range of 2000000-2999999

 The expectation we have  is it should behave the same as  samba 3.2.  We
only want domain users mapped to their appropriate/specified idmaps
"buckets" as it was before in 3.2 with our config.

A Samba Guy

More information about the samba mailing list