[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Rowland Penny rowlandpenny241155 at gmail.com
Sat Sep 12 07:32:17 UTC 2015

On 12/09/15 05:09, Jim Seymour wrote:
> On Fri, 11 Sep 2015 20:57:32 -0300
> Guilherme Boing <kolt+samba at frag.com.br> wrote:
>> If I'm not mistaken you need to --use-rfc2307 when provisioning
>> your domain to have uidNumber/gidNumber.
> [snip]
> Louis' setup/provisioning script reads...
>      ## To create a new domain set to "DC".
>      ## To join a domain with this script, set to "DCJOIN"
>      ## (default is ok for a new domain)
>      ...
>      if [ "${SAMBA_JOIN_DOMAIN}" = "DC" ]; then
>          samba-tool domain provision --use-rfc2307 ...
> And, in /etc/samba/smb.conf there is...
>      idmap_ldb:use rfc2307 = yes
> So I'm kind of guessing it's provisioned with rfc2307?
> Yet...
>      $ wbinfo --name-to-sid username
>      S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1112 SID_USER (1)
>      $ ldbsearch -H /var/lib/samba/private/idmap.ldb
>         objectsid=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1112
>      # record 1
>      dn: CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1112
>      cn: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1112
>      objectClass: sidMap
>      objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1112
>      type: ID_TYPE_BOTH
>      xidNumber: 3000026
>      distinguishedName:
>      CN=S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1112
>      # returned 1 records
>      # 1 entries
>      # 0 referrals
> The Samba4 docs I was reading before said to ldbedit that record and
> change xidNumber to the user's Unix UID.  But, when I did that,
> that's when the user's roaming profile appeared not to work.  So,
> this time, I left the idmap alone.  Roaming profiles now work, but
> the user's access to his Linux files does not.
> Thanks,
> Jim

Samba4 comes with the uidNumber & gidNumber attributes (and a load of 
others), but they are *not* used as standard, the sysadmin needs to add 

Can I suggest you stop reading the docs you are reading and read the 
samba wiki instead, start here:


The number you refer to: '3000026' is an xidNumber and is stored in 
idmap.ldb, you need to add a 'uidNumber' attribute (containing the UID 
number you want the user to have) to your users object in AD (sam.ldb), 
repeat for other users, but the numbers must be unique. Finally, give 
the 'Domain Users' object in AD a unique gidNumber attribute, what 
number you use is up to you, some people just use the RID '513', others 
use something like '20513', I personally just use '10000'. Whatever 
number you use, it must unique to that group, but it can be the same as 
a user, as this shows:

root at dc01:~# getent passwd rowland
EXAMPLE\rowland:*:10000:10000:Rowland Penny:/home/EXAMPLE/rowland:/bin/bash


More information about the samba mailing list