[Samba] winbind BUILTIN config

Mircea Husz mirceahusz at yahoo.com
Fri Jan 27 20:50:48 UTC 2017


We have a samba3 domain which provides logon services for Windows clients, and several cifs shares, some for Windows clients and some for linux servers to mount. I am testing samba 4.5.4 in a lab to understand all that needs to happen for a migration to AD on samba4.

During testing we bumped up against winbind config for linux member servers. Since we want users to authenticate against AD, the choice of back ends is tdb for the BUILTIN accounts, and ad four our domain. 

User accounts have unix UIDs / GIDs assigned and we configured the ad backend range to match the range of UIDs / GIDs.
But I don't understand how to map the BUILTIN accounts in tdb. I noticed by checking on the AD server that BUILTINs have values starting at 30000000 for example 3000007(BUILTIN\users) 

So what is a sensible mapping for the BUILTIN accounts / groups? Or better yet, why not just let it be at the values hardcoded on the AD server? 

I need an algorithm that explains how to arrive at a workable range.

This is the relevant section from smb.conf, which, btw, works fine from what I can tell.

idmap config * : backend = tdb
idmap config * : range = 30000-40000

idmap config MYDOM:backend = ad
idmap config MYDOM:range = 10000-20000
idmap config MYDOM:schema_mode = rfc2307

winbind nss info = rfc2307
winbind use default domain = yes


More information about the samba mailing list