[Samba] Back with my UID problems

Brett Wynkoop wynkoop+samba at wynn.com
Thu Feb 26 20:35:46 MST 2015

On Thu, 26 Feb 2015 19:45:31 -0700
Nigel W <nigel.w at nosun.ca> wrote:

> Hello Brett,
> On Thu, Feb 26, 2015 at 6:10 PM, Brett Wynkoop
> <wynkoop+samba at wynn.com> wrote:
> >
> > Where does your "Wisdom" about no UID below 1000 come from?
> >
> I would guess it comes from distros (mostly the Linux ones) staticly
> assigning UID and GIDs to certain services to make the package
> managers job easier.

Thank you, that was exactly my point.

> But if your existing system has userids below that number, then you
> should no problem from that, but is it something to be aware if you
> add more modern clients.

This is what I was thinking as well.

> >
> > I would submit that if Samba can not do this then Samba 4 is broken.
> > What is even more broken is that samba-tool silently accepted 34 as
> > a UID and created the samba user.  If UIDs below 1000 are forbidden
> > then a properly written program would have thrown an exception.
> >
> Numbers out of a specific range are masked out by idmap.  It seems to
> be 10000-20000 is the default range, presumably to avoid problems of
> domain users getting access to data owned by system services that
> they should not be able to.  You can change this range though, the
> member server setup wiki page[1] explains it well enough.  I am not
> aware of an actual code restriction on the ID range, but I am also
> not a developer.
> [1]
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#RFC2307
> Hope this helps,

Thank you for this pointer and confirming what I thought had to be true.
I will check it and see what happens. This is the best help on this
issue since I first brought it to the group last fall.  It is much more
useful than "Change all your existing users to have UIDs greater than

There is a real problem in the FreeSoftware world today with 
people not understanding the hows and whys of things.  Your reply is a
breath of fresh air.

I still contend that samba-tool should not have silently assigned a UID
other than what I requested.  If the user requests something invalid
the proper response for the situation should have to been to given an
ABEND (for the youngsters on the list ABEND == Abnormal End) message
pointing out the problem.

Those who do not learn from history are doomed to repeat it.

Thanks again.



wynkoop at wynn.com               http://prd4.wynn.com/wynkoop/pgp-keys.txt

I would never invade the United States.  There would be a gun behind
every blade of grass.  --Isoroku Yamamoto

More information about the samba mailing list