[Samba] Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Rowland Penny rpenny at samba.org
Mon Jul 31 10:04:06 UTC 2017

On Mon, 31 Jul 2017 11:38:23 +0200
Marc-Henri Pamiseux via samba <samba at lists.samba.org> wrote:

> Hi Louis,
> Do the default idmap values must precede the idmap values of the
> MYDOMAIN domain? May I write something like:
> Idmap config *: backend = tdb
> Idmap config *: range = 65000-65535
> Idmap config MYDOMAIN: backend = ad
> Idmap config MYDOMAIN: range = 500-3999

You can do it like that, in fact quite a lot of people do, but what
happens when you have got to user ID 64999 and you want to add another
user. It is easy to raise the last number in the 'MYDOMAIN' range, but
the ranges must not overlap.

> I think there is a problem in using nobody for the guest account
> directive while its user ID is 65534.

Well spotted, somebody, somewhere made a bad decision when they gave
that ID to 'nobody'. You will just have to work around it.

> As Rowland mention in 2017-07-25 :
> "You now need to give your users a gidNumber containing the Unix ID
> number of a group and the group would have to have a gidNumber
> attribute containing the same number."
> So, does it mean that user nobody who's gidNumber is
> "nogroup:x:65534:" need to be included in this mapping ? Should it be
> as default mapping or as domain mapping ?

No, 'nobody' is a Unix user and Samba maps the Windows user 'Guest' to


More information about the samba mailing list