[Samba] Winbind & user ID's on multiple servers

TAKAHASHI Motonobu monyo at monyo.com
Wed Mar 9 16:16:53 MST 2011

2011/3/10 Javier Conti <javier.conti at gmail.com>:
> On 9 March 2011 20:13, Mike Auleta <michael_auleta at condenast.com> wrote:
>> We're looking at setting up Linux Authentication to our AD servers using
>> winbind and need to know if there is a way to keep all the user IDs in
>> sync across the Linux servers.  The way I see it now, the user ID is
>> assigned numerically depending on the order users log in to a server.
>> Could make for issues if NFS mounted directories are involved.
> Hi, I'm using AD 2008 R2 as PDC, and have been successful using the
> following configuration in /etc/samba/smb.conf on the client:
> [global]
>        idmap backend = ad
>        idmap config MYDOMAIN : backend = ad
>        idmap config MYDOMAIN : range = 10000 - 20000
>        idmap config MYDOMAIN : schema_mode = rfc2307
>        winbind nss info = rfc2307
> Since this configuration uses the Posix attributes found in the
> rfc2307 schema, I have the uidNumber attribute of users and the
> gidNumber attribute of groups populated with the IDs used in Unix (and
> in the range between 10000 and 20000).

"idmap backend" should be a "writeable" backend such as tdb or ldap.

Anyway, to synclonize UID, you can also use "rid" or "ldap" instead of "ad".
If you simply want to sync UIDs, "rid" is a better choice, I think.
For example:

idmap config DOMAIN:range = 1000000 - 1999999
idmap config DOMAIN:base_rid = 0
idmap config DOMAIN:backend = rid

Please refer to manpages in the detail.

TAKAHASHI Motonobu <monyo at monyo.com>

More information about the samba mailing list