[Samba] Winbind troubles

Jonathan Buzzard jonathan at buzzard.me.uk
Tue Jul 23 04:40:36 MDT 2013

On Tue, 2013-07-23 at 11:06 +0100, Rowland Penny wrote:


> OK, I see where you are coming from, but until testparm starts saying
> 'this will not work because' people will keep on having problems with
> winbind, also why do you need to set up the ranges anyway.

testparm does not guarantee a working configuration, it guarantee's that
you don't have any invalid configuration lines from a syntactic point of

I fully appreciate that it can seem confusing. I know three years ago
when I first set it up I ended up reading large chunks of this mailing
lists archive to find a single posts that told me what I was doing
wrong. At the time the idmap_ad manual page did not hold the necessary

However today in mid 2013, the manual page is accurate and there are a
*lot* more posts in the mailing list on how to set it up.

>  The user and group ranges are already set by the admin in uidNumber &
> gidNumber, so again why do they need setting in smb.conf, IMHO the
> setting should be 'idmap config:backend = ad' and that should make
> winbind pull all the rfc2307 items for a user or group

The issues is that winbind needs somewhere to allocate UID's and GID's
for the BUILTIN backend. As such it does not know in advance what a
suitable block for this is. Only you the administrator can say this
range here is not allocated in the AD.

Also winbind can handle multiple domains so it needs to know which
domain to use to lookup a given UID or GID in.


Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list