Ryan Ashley ryana at reachtechfp.com
Thu Oct 27 19:52:09 UTC 2016

Slightly off-topic, but I thought setting those set the limits for going
into the NIS attributes tab in Windows. I understood the Samba wiki to
explain that using those lines is how you set the upper and lower limits
that Windows sees and uses. Is this incorrect?

Lead IT/IS Specialist
Reach Technology FP, Inc

On 10/27/2016 03:42 PM, Rowland Penny via samba wrote:
> On Thu, 27 Oct 2016 17:23:43 -0200
> Vinicius Bones Silva via samba <samba at lists.samba.org> wrote:
>> Hi Rowland,
>>      Just to let you know, we removed all the idmap entries we had on
>> the smb.conf of our two DCs and the ids reported by getent passwd at
>> the DCs were in the 3.000.000 range, as you said. We had to add back
>> 'idmap_ldb:use rfc2307 = yes' to get the user listing with the
>> original numbers on the DCs.
>> Here's what we commented out on the configurationfiles.
>>          # Default idmap config used for BUILTIN and local
>> accounts/groups #idmap config *:backend = ad
>>          #idmap config *:range = 2000-9999
>>          # idmap config for domain E-TRUST
>>          #idmap config E-TRUST:backend = ad
>>          #idmap config E-TRUST:schema_mode = rfc2307
>>          #idmap config E-TRUST:range = 10000-40000
>>          #idmap cache time = 1
>>          #idmap negative cache time = 1
>>          #winbind cache time = 1
>>          idmap_ldb:use rfc2307 = yes
> Yes those are the lines you should only have on a domain member (aka
> fileserver, printserver). The only idmap line you should have on a DC is
> the 'idmap_ldb:use rfc2307 = yes' line, without this line, rfc2307
> will not be used and unfortunately it is not added automatically to
> any DCs that are joined to the domain.
> Rowland

More information about the samba mailing list