[Samba] idmap configuration after initial deployment needed?

Rowland Penny rowlandpenny at googlemail.com
Wed Oct 15 09:51:01 MDT 2014

On 15/10/14 16:24, James wrote:
> Hello,
>     Using Ubuntu 12.04 with Samba 4.1.11. I'm currently redirecting 
> windows folders to a Samba DC. This DC is not the one that was 
> deployed first. Based on discussions from another thread I copied the 
> idmap.ldb from the initial DC to the others that are deployed. I 
> noticed upon doing so the file permissions on the shares were broken. 
> As in existing users were unable to see their documents or make 
> modifications to them. I deleted them from the ACL list and reapplied 
> their appropriate permissions. This corrected that issue.
>     I also noticed that an issue I had with applying GPO's to users at 
> remote sites was now working again after making this change. With all 
> that being said. I was under the impressions that I only needed to add 
> idmap configurations to my smb.conf if I was using a member server to 
> handle shares from linux/unix users or workstations. I appear to be 
> wrong?  Thanks for any assistance.
The problem starts with what microsoft calls 'Well-known security 
identifiers', these are mapped on the DC  to xidNumbers, now where ever 
you go in AD, on a windows machine  'S-1-5-32-544' is the Administrators 
group, but as I said, on the DC this is mapped to an xidNumber, only 
problem is that you do not seem to get the same xidNumber on every 
samba4 DC, this is why idmap.ldb needs to copied from the first DC.

There was some talk about mapping these SID's to a set group of numbers, 
but that is as far as it got, the problem being just what numbers to map 
them to or how to map them so that samba admins could choose the 
starting base.


More information about the samba mailing list