[Samba] Corrupted idmap...

Rowland Penny rpenny at samba.org
Sat Jan 21 18:40:22 UTC 2017

On Sat, 21 Jan 2017 18:05:52 +0000
Alex Crow via samba <samba at lists.samba.org> wrote:

> Yes, this does not make sense.
> If I have member file servers, and I want to be in control of which
> groups can access what, surely winbind needs to be able to get a GID
> from AD?
> It may be different in our case as we migrated from classic Samba, but
> every non-builtin group we have has a GID assigned and it works
> perfectly. Indeed, if I create a new group without assigning a Unix
> GID, it is not even visible on the member file servers, so IMHO the
> advice you've been given is not correct. Your non-builtin groups that
> you use for file access controls must have a GID number if you're
> using rfc idmap.
> I understand that idmap configuration is not usable on a DC.
> Cheers
> Alex

OK, lets have a look at the 'idmap config' lines on a Unix domain

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : range = 10000-999999

Now if a user has a uidNumber inside '10000-999999', or a group has a
gidNumber inside the same range AND Domain Users has a gidNumber, then
they will be shown as members of the 'SAMDOM' domain. Anything else and
this includes the Well Known SIDs shown here:


will be mapped to the '*' domain using the '2000-9999' range.

Just because 'getent' doesn't show the user or group, doesn't mean
winbind isn't aware who they are.

What you have to ask your self is 'does Unix have to know who this
windows user or group is ?'


More information about the samba mailing list