[Samba] ADS Domain Member smb.conf using idmap_ad

TAKAHASHI Motonobu monyo at monyo.com
Wed Nov 23 06:44:41 MST 2011

Firstly, I recommend that you configure both Active Directory and
Samba to configure Winbind in your lab.

From: Freeman <flo at email.unc.edu>
Date: Wed, 23 Nov 2011 08:17:55 -0500

> > Have you already set values into "UNIX attributes" for every user you
> > want to "activate" under Winbind.
> I believed on the windows side, the windows admin had already mapped the 
> unix user uid/gid to the windows domain via some windows/unix converter 
> tool.

You need to confirm what was done, I think.

> idmap config AD : default = yes
> idmap config AD : cache time = 180
> idmap config AD : backend  = ad
> # idmap config AD : range = 100001-200000
> idmap config AD : schema_mode = rfc2307

Of cource, uid/gids are set between 100001-200000 on Active Directory?

If you set "idmap config AD : range = 100001-200000", all uid/gids
except 100001-200000 cannot be mapped. Also remember an user whose
primary group cannot be mapped is failed to map.

> idmap config AD : schema_mode = rfc2307

> I am running samba version: Version 3.5.11-79. fc14. Trying to join
> linux servers to the windows 2003 domain by running winbind and smb.  I

Your AD's DCs are Windows Server 2003 or Windows Server 2003 R2?
If Windows Server 2003, you use sfu instead of rfc2307. See

> I thought the uid/gid mapping to the sid is all done by either 
> winbind or samba, if smb.conf is configured properly.

Again I have to say that uid/gid does not have nothing to do with

Setting "idmap backend = ad" only enables that uid/gid/shell and
homedir values are retrieved from those set in "UNIX attributes",
which does not mean to map to SID.

> The goal is pretty simple, we would like to have all of the linux 
> machines joining the campus windows AD domain as a member. Instead of 
> using the NIS account with all of the linux machine, we would like to 
> log onto the linux servers with the domain account from the window side 
> and to mount a windows share upon a user log in.

If you keep current uid/gids maintained by NIS, you should use
idmap_ad(8). If not, idmap_rid(8) is easy to configure.

TAKAHASHI Motonobu <monyo at samba.gr.jp>

More information about the samba mailing list