Rowland Penny rpenny at samba.org
Thu Oct 27 19:42:39 UTC 2016

On Thu, 27 Oct 2016 17:23:43 -0200
Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
>      Just to let you know, we removed all the idmap entries we had on
> the smb.conf of our two DCs and the ids reported by getent passwd at
> the DCs were in the 3.000.000 range, as you said. We had to add back
> 'idmap_ldb:use rfc2307 = yes' to get the user listing with the
> original numbers on the DCs.
> Here's what we commented out on the configurationfiles.
>          # Default idmap config used for BUILTIN and local
> accounts/groups #idmap config *:backend = ad
>          #idmap config *:range = 2000-9999
>          # idmap config for domain E-TRUST
>          #idmap config E-TRUST:backend = ad
>          #idmap config E-TRUST:schema_mode = rfc2307
>          #idmap config E-TRUST:range = 10000-40000
>          #idmap cache time = 1
>          #idmap negative cache time = 1
>          #winbind cache time = 1
>          idmap_ldb:use rfc2307 = yes

Yes those are the lines you should only have on a domain member (aka
fileserver, printserver). The only idmap line you should have on a DC is
the 'idmap_ldb:use rfc2307 = yes' line, without this line, rfc2307
will not be used and unfortunately it is not added automatically to
any DCs that are joined to the domain.


More information about the samba mailing list