[Samba] Corrupted idmap...

Rowland Penny rpenny at samba.org
Tue Jan 17 15:57:44 UTC 2017

On Tue, 17 Jan 2017 10:04:23 -0500
Ryan Ashley via samba <samba at lists.samba.org> wrote:

Firstly , 'gencache_notrans.tdb' is a cache file and is recreated when
Samba is restarted.

> Rowland, I was just reading over another thread on this list about the
> inability to access group policy from client machines. The user did
> not have the symlinks setup (I do) but one thing you mentioned was
> using the NIS attributes to set UID/GID numbers for the domain. You
> said we should not do this for certain users and groups, but there is
> no mention of this in the guides to setting up an AD DC, so I have
> always done it. We do this to make our Linux-based NAS devices work.

The only only windows group that needs a gidNumber attribute is Domain
Users and then only when you use the windbind 'ad' backend on a domain
member. the other windows groups don't need a gidNumber, in fact, as
Domain Admins needs to own directories in sysvol, you definitely
shouldn't give this group a gidNumber.
If you have to set up Samba this way because of your NAS, I would look
closely at your NAS ;-)
> Furthermore, you recommended the user use the idmap lines to ensure
> consistent UID/GID numbers across devices, yet you suggested I turn
> the exact same lines off in my config. Why is this? I understand our
> situations are different, but when should we set winbind to use the AD
> backend and set UID/GID numbers? How do do this so Linux-base file
> services can be accessed by users and come out the same?

You are mixing up idmap on a DC and a Unix domain member. On a DC,
idmapping is done in idmap.ldb, users & groups are allocated an
xidNumber in the '3000000' range, the number allocated is on the next
number available basis, apart from 'Administrator', 'Domain Users' and
'nobody' which get '0', '100' and '65534'.

On a Unix domain member, the two main ways of setting up idmapping is
with the winbind 'rid' and 'ad' backends. The 'rid' backends calculates
an ID from the windows RID, so you don't have to add anything to AD.
This means that whilst, by using the 'rid' backend, you will get the
same ID on every Unix domain member, it will still be different from
the ID on a DC (and the ID will probably be different on other DCs).

The only way to get the same ID everywhere is to use the 'ad' backend,
If you give a user a uidNumber and run 'net cache flush', this will be
used instead of the xidNumber without modifying smb.conf in any way.
On a Unix domain member it is different, you need to add something
like this:

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : range = 10000-999999

Now provided that the uidNumber attributes you have added are between
10000 and 999999 AND you have given Domain users a gidNumber in the
same range, getent will display info for your users.

Now somebody (and I know who) recommended adding those lines to the
smb.conf, but they do nothing on a DC, well they didn't until 4.5.0
came out and then they started causing errors, so bottom line, don't add
them to a Samba AD DC smb.conf


More information about the samba mailing list