[Samba] Man page for idmap_rid

francis picabia fpicabia at gmail.com
Wed Aug 10 13:42:11 UTC 2016

On Tue, Aug 9, 2016 at 4:56 PM, Steve Ankeny via samba <
samba at lists.samba.org> wrote:

> On 08/09/2016 03:29 PM, francis picabia via samba wrote:
>> We've modified our smb.conf shares about 10 years ago to have
>> valid users with MYDOM\user and it has worked very well.  It is
>> still working well for the most part.
> 10 years ago Samba was configured as a traditional NT Domain, not so
> Active Directory.
> It's not "pouring beer from a bottle (NT Domain) into a glass (AD)" but
> "opening a 'new' bottle of beer"
> In other words, it's two different sets of users (one described by
> smb.conf and the other in the AD LDAP DB)
Ha ha.  I wondered last night if the beer analogy would work best, and it
seems so.

Here is why it is not a new bottle of beer.

The right hand is pouring the bottle, and the left hand is holding the
tilted slightly to avoid frothing, so the user is most pleased.  In between
the hands there is an administrative unit known as the brain which has
established a
trust between the left and the right hand being under a common

There are indeed organizations where the left hand doesn't know what
the right hand is doing, but in general that is not the case, and we have
checks to keep things aligned.

There may be a reason why a developer would want to assume
this is a new bottle of beer in light of recent security issues.

On a few dozen systems running Linux and Solaris and in production,
MYDOM\username = username  as far as we are concerned.  It isn't
unique to Samba.  Many applications have a local user which
maps to the AD user and make the assumption they are the same,
which we can do because we administer both ends.  We're not
talking about self-sign up portals and mailing lists, but things
which are under one administration.

Other than the case of bug report 10604 and Samba 4.2.10 on Debian,
this solution has been working well for us.

More information about the samba mailing list