[Samba] winbind BUILTIN config

Rowland Penny rpenny at samba.org
Fri Jan 27 21:38:53 UTC 2017

On Fri, 27 Jan 2017 20:50:48 +0000 (UTC)
Mircea Husz via samba <samba at lists.samba.org> wrote:

> All,
> We have a samba3 domain which provides logon services for Windows
> clients, and several cifs shares, some for Windows clients and some
> for linux servers to mount. I am testing samba 4.5.4 in a lab to
> understand all that needs to happen for a migration to AD on samba4.
> During testing we bumped up against winbind config for linux member
> servers. Since we want users to authenticate against AD, the choice
> of back ends is tdb for the BUILTIN accounts, and ad four our domain. 
> User accounts have unix UIDs / GIDs assigned and we configured the ad
> backend range to match the range of UIDs / GIDs. But I don't
> understand how to map the BUILTIN accounts in tdb. I noticed by
> checking on the AD server that BUILTINs have values starting at
> 30000000 for example 3000007(BUILTIN\users) 
> So what is a sensible mapping for the BUILTIN accounts / groups? Or
> better yet, why not just let it be at the values hardcoded on the AD
> server? 
> I need an algorithm that explains how to arrive at a workable range.
> This is the relevant section from smb.conf, which, btw, works fine
> from what I can tell.
> idmap config * : backend = tdb
> idmap config * : range = 30000-40000
> idmap config MYDOM:backend = ad
> idmap config MYDOM:range = 10000-20000
> idmap config MYDOM:schema_mode = rfc2307
> winbind nss info = rfc2307
> winbind use default domain = yes
> Thanks,
> -Mike

You could use the example ranges shown on the Samba wiki:


This uses '3000-7999' for the '*' domain (Well Known SIDs etc) and 
'10000-999999' for the 'MYDOM' domain

With this you have space below '3000' for any local Unix users you
might need, starting the main domain at '10000' is inline with where
ADUC on Windows starts them.

You do not need to know the IDs of most of the Well Known SIDs, you
only need to give Domain Users a gidNumber containing a number inside
the 'MYDOM' range i.e. '10000'


More information about the samba mailing list