[Samba] idmap GID range became full without reason

Gaiseric Vandal gaiseric.vandal at gmail.com
Sat Jun 12 15:11:05 MDT 2010

Is the Mac as PDC, or a member server?  What is the PDC?  

Idmap is not as well documented as it could be.    I am using idmap with
ldap backend for interdomain trusts, with both samba 3.0.x and samba 3.4.x
with mixed success.  But the behavior you are describing is definitely not

In addition to having an idmap section for the trusted domain, I also have
an idmap section for "alloc" -  I would check the smb.conf man page.  I
think the "idmap mydomain"  section is supposed to help samba check existing
idmap uid/gid entries and the "idmap alloc" section is supposed to keep
track of the next entry to be allocated.  It sounds like samba is unable to
determine the existing idmap uid so creates another one.

Maybe you can use the wbinfo command to manually set uid/gid's and then try
to comment out the idmap entries in smb.conf to prevent future entries being

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Andrew Hotlab
Sent: Friday, June 11, 2010 5:35 PM
To: samba at lists.samba.org
Subject: Re: [Samba] idmap GID range became full without reason

> On 06/11/10 09:12, Andrew Hotlab wrote:
> >
> > On 06/10/10 04:52, Andrew Hotlab wrote:
> >> Every two-three months, all users are unable to access shared folders
because the idmap GID range became full!!
> >>
> >> What I noticed is that each time a user mounts a shared folder, his/her
GID is incremented, and when it reaches the upper limit, the file
log.winbindd-idmap became full of these errors:
"nsswitch/idmap_tdb.c:idmap_tdb_allocate_id(470) Fatal Error: GID range
full!! (max: 20000)"
> >>
> >> Can anyone kindly suggest me what is causing this behavior, or at least
put me in the right direction? Can I activate some debug to obtain more info
about this?
> >>
> >> Any help will be greatly appreciated: I convinced the customer to use
Mac/BSD/Samba instead of going to Windows because I was confident it would
have been a valid alternative, and it's hard to justify these errors
you all in advance!!
> >>
> >> Andrew
> >
> >
> >> idmap uid = 15000-20000
> >> idmap gid = 15000-20000
> >
> > Can you just increase the range? The setting I am using is:
> >
> > idmap uid = 500-100000000
> > idmap gid = 500-100000000
> >
> >
> >
> > Thank you Brian.
> > Yes, I can do it, but this will only shift the problem.  I'd like to
understand the the cause of this behavior and, if applicable, find the
solution! :)
> >

> I think the cause of the problem is your range is to small.  Maybe it is
different with the security type you are using,
> I am using ADS.

Perhaps this can be helpful to understand the problem... I've just tried the
same version of Samba as a member server of a Windows 2003 AD (exactly the
same smb.conf): the output of the id command is "uid=15001(andrew)
gid=15005(domain users) groups=15005(domain users)", and the gid number
never changes, even if I mount the shared folders on Mac.
I can't believe this behavior is normal: each time a user mounts a share the
gid idmap increase! That would be extremely insane too, because it would
make impossible to control access through group permissions!

Hotmail: Powerful Free email with security by Microsoft.
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list