[Samba] Corrupted idmap...

Ryan Ashley ryana at reachtechfp.com
Sun Jan 22 00:15:51 UTC 2017

I am still slightly confused here. I set these options on the domain
members (no clue how on earth to do this on a NAS) but how does it match
up? I would think the server has to have the UID/GID info so each
workstation has the same UID/GID for whatever user or group. If user A
logs into station 1 and gets the first UID there, but he is the second
user to login to station 2 he gets the second UID there. Am I missing
the big picture here?

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/21/2017 01:40 PM, Rowland Penny via samba wrote:
> On Sat, 21 Jan 2017 18:05:52 +0000
> Alex Crow via samba <samba at lists.samba.org> wrote:
>> Yes, this does not make sense.
>> If I have member file servers, and I want to be in control of which
>> groups can access what, surely winbind needs to be able to get a GID
>> from AD?
>> It may be different in our case as we migrated from classic Samba, but
>> every non-builtin group we have has a GID assigned and it works
>> perfectly. Indeed, if I create a new group without assigning a Unix
>> GID, it is not even visible on the member file servers, so IMHO the
>> advice you've been given is not correct. Your non-builtin groups that
>> you use for file access controls must have a GID number if you're
>> using rfc idmap.
>> I understand that idmap configuration is not usable on a DC.
>> Cheers
>> Alex
> OK, lets have a look at the 'idmap config' lines on a Unix domain
> member:
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     ## map ids from the domain  the ranges may not overlap !
>     idmap config SAMDOM : backend = ad
>     idmap config SAMDOM : schema_mode = rfc2307
>     idmap config SAMDOM : range = 10000-999999
> Now if a user has a uidNumber inside '10000-999999', or a group has a
> gidNumber inside the same range AND Domain Users has a gidNumber, then
> they will be shown as members of the 'SAMDOM' domain. Anything else and
> this includes the Well Known SIDs shown here:
> https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
> will be mapped to the '*' domain using the '2000-9999' range.
> Just because 'getent' doesn't show the user or group, doesn't mean
> winbind isn't aware who they are.
> What you have to ask your self is 'does Unix have to know who this
> windows user or group is ?'
> Rowland

More information about the samba mailing list