[Samba] question about "idmap config" in multi-forest environment

Jason Haar Jason_Haar at trimble.com
Mon Sep 16 00:26:42 MDT 2013

Hi there

We're having problems with users attaching to our (winbind) Samba
servers and being assigned the same UID. Rarely happens - not repeatable
- but definitely a pattern

Anyway, I've been googling about and I think I've figured out the root
cause, so I thought I'd check with the community first, because if I go
off an change to my new model, it could take months before I find out if
the change worked or not

On our CentOS-6 servers, running samba-3.5.16-1, our smb.conf currently

winbind uid = 10000-20000
idmap backend = tdb
idmap config * : range = 10000-200000

I *think* the problem is that users connecting from different trusted
domains are being mapped onto the same uid because Samba doesn't
magically figure that out? ie you have to explicitly reference EVERY
domain you have in smb.conf - giving EVERY one of those domains a
separate range of uids?

Is that correct? We have over 20 trusted domains (although that number
depends on what domain a given samba server is joined to) - so do I have
to create a different "idmap config XXXX: range = 10000-190000" for
every one of those domains, otherwise at some stage I might get a
conflict? That seems like such an overhead. Couldn't samba have a new
feature like "idmap config *: domain block = 10000" - so that Samba
automagically splits any domain into it's own chunk of the "range"? eg
you set range to "10000 - 1000000" and then "block = 10000" would allow
up to 99 domains without any effort?

I know there are ldap and ad backends - but they all assume your Windows
environment is "Unix friendly" which ours isn't. I'm just trying to make
our Samba servers play nicely within our Windows-dominated empire ;-)



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba mailing list