[Samba] "samba-tool user add" and idmap shenanigans

Rowland penny rpenny at samba.org
Mon Feb 1 21:30:14 UTC 2016

On 01/02/16 20:44, Stuart Longland wrote:
> On 01/02/16 19:20, Rowland penny wrote:
>> Yes, The DCs and domain members work differently. On a DC, windows users
>> are mapped to Unix users in 'idmap.ldb', this is where you will find the
>> xidNumber attributes. On a domain member, the users are mapped via
>> winbind and there are several backends available, though only two are
>> really used, the 'ad' & 'rid' backends. If you use the 'ad' backend, you
>> will have to give all users, that you want to be visible to Unix, a
>> uidNumber attribute and Domain Users (at least) a gidNumber. If you use
>> the 'rid' backend, you do not have to add anything to AD, but you may
>> want to add the 'template' lines to smb.conf on the domain member (see
>> man smb.conf).
> Sounds like the 'rid' backend may prove more flexible in many ways.  I
> take it that using the 'rid' backend, I still get group membership
> information and other metadata provided?

Yes, the differences between the 'ad' & 'rid' backends are:

With the 'ad' backend, you get to use the full range of rfc2307 attributes

with the 'rid' backend you only get to use the uidNumber & gidNumber 
attributes, there is however 'template shell' & 'template homedirectory' 
lines you can put into smb.conf.

> Alternatively, is there a flag I can pass to `samba-tool` that would
> automatically assign a uidNumber as this is what smbldap-tools and the
> good ol'e useradd tools did.  (e.g. adding one to the last allocated
> UID.  Or using xidNumber, since that works too for our needs.)

xidNumber attributes are only used on a DC, they are used no where else.
I proposed a patch to samba-tool to make it do what you require, the 
patch was declined, I understand the reason why, but there is nothing 
stopping you writing your own script or using ADUC on a windows client.

>> You may also want investigate using a later version of Samba, the
>> version available from ubuntu is old and in fact when Samba 4.4.0 comes
>> out (due start of March), the 4.1.x series will go EOL. You could use
>> the latest freely available Sernet version, this will get you 4.2.x, or
>> you could very easily compile Samba yourself, if you go down this path,
>> you can get the latest version.
> Indeed, the fun of using the stable branch of a Linux distribution.  If
> I had my way, we'd be running Gentoo and thus have the latest Samba by
> default.
> I'll have a look at the Sernet and see if there's any other Samba
> backports to Ubuntu 14.04 -- I can't be the only one facing this issue.
> (Probably wouldn't be hard to nick the deb sources from the upcoming
> Ubuntu 16.04 and re-compile them on 14.04 too.)

There are later versions available from Sernet, but these require a 
subscription. Ubuntu relies on Debian and whilst there is a later 
version in Debian Experimental, it hasn't got any further than that.

Compiling it yourself is fairly easy and it will install to 


> Regards,

More information about the samba mailing list