[Samba] Understanding UID/GID mapping models.

Ray Van Dolson rvandolson at esri.com
Tue Aug 30 23:40:54 MDT 2011

I am using either DOMAIN or ADS for authentication and am trying to
understand how UID/GID mapping rules are triggered.

This[1] seems to suggest that if I do not specify the idmap uid/gid
parameters in smb.conf, then authenticated usernames are mapped to
"local" user accounts having the same name.

If, however, I _do_ specify idmap uid/gid then one of the idmap_*
allocator modules is used.

Is my understanding correct there?

We have a mixed NIS/AD environment, and in most cases we do not use
idmap parameters and, as such, rely on the existence of an NIS account
to map UID/GID's.  However, when users attempt to set permissions from
Windows, it appears that a SID is passed to Samba which is unable to
map it into a valid file system ACL and the permissions aren't actually

The only workaround I've found is to enable idmap so these SID's can be
resolved properly to NSS-sourced (in our case, NIS or local accounts)

I do something like this:

    idmap backend = tdb

    # Users without NIS accounts are assigned random UID/GID's from the
    # following pool (assuming they're allowed to connect)
    idmap uid = 1000000-10000000
    idmap gid = 1000000-10000000

    # NIS users should never have  UID/GID > 599999
    idmap config DOMAIN : backend = nss
    idmap config DOMAIN : range = 0-599999

This seems to work, but I'm looking to confirm that I have the correct


More information about the samba mailing list