[Samba] Corrupted idmap...

Ryan Ashley ryana at reachtechfp.com
Tue Jan 24 18:45:16 UTC 2017

OK, so let me get this straight in my head. I set the "idmap config"
ranges to the same range on every Unix/Linux box on the domain while NOT
setting those lines on the server itself. After that I can create new
users and give them a UID while NOT giving a UID to the built-in
accounts such as domain admin or domain guest. I then give each new
group I create a GID and the ONLY built-in group I can assign a GID to
is "Domain Users". I cannot assign a GID to "Domain Admins", "Domain
Guests", or any other group that comes with the domain. Doing this
should satisfy the *nix boxes and prevent the issue we had here. Is this

Also, I do not give machine accounts an ID, I was just using a
multi-computer setup (one named 1 and one named 2) as an example. I do
not know of any reason to assign an ID to a machine account. Then again,
I'm not Bill Gates or the Samba expert either.

Thanks for all of your help, Rowland. You've been an invaluable help
over the years.

Lead IT/IS Specialist
Reach Technology FP, Inc

On 01/22/2017 04:58 AM, Rowland Penny via samba wrote:
> On Sat, 21 Jan 2017 19:15:51 -0500
> Ryan Ashley via samba <samba at lists.samba.org> wrote:
>> I am still slightly confused here. I set these options on the domain
>> members (no clue how on earth to do this on a NAS) but how does it
>> match up? I would think the server has to have the UID/GID info so
>> each workstation has the same UID/GID for whatever user or group. If
>> user A logs into station 1 and gets the first UID there, but he is
>> the second user to login to station 2 he gets the second UID there.
>> Am I missing the big picture here?
> Whilst you can give a workstation a uidNumber, it isn't really needed,
> but if you feel you must, then you will also need to give the
> workstations primary group 'Domain Computers' a gidNumber.
> If you are using the winbind 'ad' backend, then (provided 'Domain
> Users' has a gidNumber and the same 'idmap config' lines are used on
> all Unix domain members) your users (that have a uidNumber) should get
> the same UID on every Unix domain member, the same goes for groups.
> There is also the winbind 'rid' backend, this calculates the user or
> group ID from the user/group RID and again (provided the same 'idmap
> config' lines are used on all Unix domain members) the IDs will be the
> same.
> The only problem with using the 'rid' backend is that it cannot be
> used on a DC. This means that the only way to get the same user or
> group ID on all Unix computers is to use the 'ad' backend.
> I have no idea how to set up your NAS, mainly because I don't know
> what NAS you are using, but you will probably have to manually edit the
> smb.conf.
> Rowland

More information about the samba mailing list