[Samba] Security = ADS and uidnumbers

steve steve at steve-ss.com
Wed Jun 5 12:06:40 MDT 2013

On Wed, 2013-06-05 at 18:32 +0100, Rowland Penny wrote:
> Well said Steve
> From what I have read on the two samba mailing lists, Samba 4 is
> supposed to be a clone of windows AD, well windows AD does not have
> winbind, so I suppose this begs the question, why when running as a DC
> controller does Samba4?

I think it's still needed because not everything is stored in the
directory. sids are stored alongside (what become) their uid or gid in
the idmap database, rather than AD. As end users, we can choose to work
only with AD, however, every object we add also ends up in idmap too. I
can see one of the reasons is so that a unique sid to uid can be
guaranteed. There's a counter object in idmap which gets incremented
each time we add something ourselves. However, once the xid from idmap
has been transferred to AD, or we've allocated our own, we can then
delete the idmap entry.

More information about the samba mailing list