[Samba] ADS Domain Member smb.conf using idmap_ad

Freeman flo at email.unc.edu
Tue Nov 22 14:47:01 MST 2011

Greetings samba community,

I am running samba version: Version 3.5.11-79. fc14. Trying to join 
linux servers to the windows 2003 domain by running winbind and smb.  I 
have configured the following smb.conf file which worked but can't seem 
to understand why the uid is different from the windows side when the 
windows side has already mapped some kind of uid to the sid.

If i were to log into this machine from another linux box and run the 
command 'id' i get the uid of 1000. When i try to run this command 
wbinfo -n flo on the member server, i get some other number:

[root at moe samba]# wbinfo -n flo
S-1-5-21-344340502-4252695000-2390403120-1236058 SID_USER (1)

# from a linux client machine after logging onto the server which joined 
the domain
-bash-4.1$ id
uid=1000(flo) gid=1000(domain users) groups=1000(domain users),

what do these numbers mean ? and does it have to match the number that 
has been setup for me on the windows side ? Am i still missing some 
parameters on my configuration ?

i was able to have this server join our internal windows network as a 
member and was able to log into this server with my windows credential 
instead of my nis credential.

i don't understand how "idmap uid=range values" vs   "idmap config AD : 
range = range values"
By omitting this "idmap config AD : range = range values" from my 
configuration, i am able to gain access to this server which join the 
windows domain from another linux machine. If i left it uncomment in my 
configuration, i can't seem to login to this machine.


    workgroup = ad
    password server = server1,server2,server3
    realm = myDomain.com
    security = ads
    allow trusted domains = no
    disable netbios = yes

# this doesn't seem to work for some reason
# i am trying to use idmap_ad
#   idmap backend = ad
    idmap backend = tdb
    idmap uid = 1000-5000000
    idmap gid = 1000-5000000

    idmap config AD : default = yes
    idmap config AD : cache time = 180
    idmap config AD : backend  = ad
    # idmap config AD : range = 100001-200000
    idmap config AD : schema_mode = rfc2307

    template shell = /bin/bash
    template homedir = /mnt/%D/home/%U
    winbind nss info = rfc2307
    winbind use default domain = yes
    winbind offline logon = yes
    winbind nested groups = yes
    encrypt passwords = yes
    obey pam restrictions = yes
    unix password sync = no
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = yes
    domain master = no
    local master = no

More information about the samba mailing list