[Samba] Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Rowland Penny rpenny at samba.org
Mon Jul 31 09:30:36 UTC 2017

On Mon, 31 Jul 2017 11:07:53 +0200
Marc-Henri Pamiseux via samba <samba at lists.samba.org> wrote:

> Thank you Louis,
> I know the current mapping is incorrect.
> This is a transition map for the update.
> What I foresee:
> Idmap config *: range = 1000-1999
> Idmap config *: range = 2000-3999

That should be okay for the '*' domain and allow you to have local Unix
> In Active Directory, groups will have an identifier between 2000 and
> 2999 while users will have an ID between 3000 and 3999.

No they don't, Active Directory uses RIDs and they typically start at
'1000'. Also there is no real differentiation between users, groups or
machines (as far as RIDs are concerned) , the next 'thing' to be created
gets the next available RID and RIDs are never reused.
ADUC starts the Unix IDs for users and groups at '10000' i.e. you can
have a user and a group with the same ID, but you can use whatever
start number you like and different ones for users & groups, even if
there is no point ;-)
> However, what range should I assign to machines?

Don't bother

> On the LDAP branch CN=Computers,DC=local,DC=mydomain, should I also
> add an uidNumber entry whose value would be included in a uidmap of
> winbind?

Do you actually use IDs for machines ? Active Directory uses DNS.


More information about the samba mailing list