[Samba] ID mapping & sssd

Henry McLaughlin henry at incred.com.au
Mon Jan 18 19:14:38 UTC 2016

I'm working through learning mapping ids and Rowland has provided the
following advice:

"It is fairly simple, on a DC, users are mapped to (via idmap.ldb) Unix
automatically. On a domain member, you have a choice of backends, but the
two main ones are 'rid' & 'ad'. The 'rid' backend works similar (from an
initial view point) to the DC and maps the users & groups to Unix. The 'ad'
backend is different, any user that you want to be visible to Unix must be
given a uidNumber attribute, this number must be inside the range that is
set in smb.conf, you must also give Domain Users (at least) a gidNumber
attribute, this must also be inside the range set in smb.conf, if you want
any other groups to be visible to Unix, these also must be given a

I think I now understand however have the following questions:

1) When using sssd am I correct in understanding there is no need to
specify an id range in smb.conf?

2) Do I only need to specify uids & gids for the users/groups I explicitly
set unix permissions for?
For example if I set a folder ownership to "root:Domain Admins" then I need
a gid for "Domain Admins" but not uids for any of the members of "Domain

3) Previously I assigned Administrator a uid which caused problems. Why was
this wrong?

4) How do Windows permissions translate to Linux? For example if I set a
folder ownership to "root:Domain Admins" then in Windows I can set other
user permissions that are not explicitly set at the Linux level.

5) Why does "Domain Users" need a gid if i don't explicitly use it for
Linux permissions?

Thanks in advance...

More information about the samba mailing list