[Samba] idmap configuration after initial deployment needed?

James lingpanda101 at gmail.com
Wed Oct 15 14:00:03 MDT 2014

Hi Steve,

     It was based on the discussion using unison and rsync. I did 
attempt to use the sysvol reset command but it had no effect on my 
issue. I fixed the ACL's by going into each users redirected folder from 
a Windows workstation. Right clicking the affected folder and deleting 
the user or group from the security tab. After deletion I added the user 
or group permissions back.

On 10/15/2014 3:50 PM, steve wrote:
> On 15/10/14 17:51, Rowland Penny wrote:
>> On 15/10/14 16:24, James wrote:
>>> Hello,
>>>     Using Ubuntu 12.04 with Samba 4.1.11. I'm currently redirecting
>>> windows folders to a Samba DC. This DC is not the one that was
>>> deployed first. Based on discussions from another thread I copied the
>>> idmap.ldb from the initial DC to the others that are deployed. I
>>> noticed upon doing so the file permissions on the shares were broken.
> Hi
> Not sure which thread you read, but you should copy the db and then 
> run sysvolreset. I thought that this had appeared in the wiki recently.
>>> As in existing users were unable to see their documents or make
>> modifications to them. I deleted them from the ACL list and reapplied
>>> their appropriate permissions. This corrected that issue.
> How did you effect, 'reapplied appropriate permissions'? samba-tool?
> José
>>>     I also noticed that an issue I had with applying GPO's to users at
>>> remote sites was now working again after making this change. With all
>>> that being said. I was under the impressions that I only needed to add
>>> idmap configurations to my smb.conf if I was using a member server to
>>> handle shares from linux/unix users or workstations. I appear to be
>>> wrong?  Thanks for any assistance.
>> The problem starts with what microsoft calls 'Well-known security
>> identifiers', these are mapped on the DC  to xidNumbers, now where ever
>> you go in AD, on a windows machine  'S-1-5-32-544' is the Administrators
>> group, but as I said, on the DC this is mapped to an xidNumber, only
>> problem is that you do not seem to get the same xidNumber on every
>> samba4 DC, this is why idmap.ldb needs to copied from the first DC.
>> There was some talk about mapping these SID's to a set group of numbers,
>> but that is as far as it got, the problem being just what numbers to map
>> them to or how to map them so that samba admins could choose the
>> starting base.
>> Rowland


More information about the samba mailing list