[Samba] Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Rowland Penny rpenny at samba.org
Mon Jul 31 14:54:22 UTC 2017

On Mon, 31 Jul 2017 16:11:54 +0200
Marc-Henri Pamiseux via samba <samba at lists.samba.org> wrote:

> Ouhh !
> It's a misunderstanding, a copy/paste error.
> It should read:
> Idmap config *: range = 1000-1999
> Idmap config MYDOMAIN : range = 2000-3999
> Regards,

OK, I will try and explain it better ;-)

On a Unix machine joined to an Active Directory domain, you need 4 (yes
four) sets of users and groups

1) Unix system users & groups
2) Local Unix users & groups
3) The '*' domain Active Directory system users & groups
4) The 'DOMAIN' domain Active Directory users & groups

Set 1) these are numbered from 1-499 (with the exception of 65534) and
will be found in /etc/passwd & /etc/group

Set 2) These start from ID 1000 and are found in /etc/passwd
& /etc/group. A user or group found in either /etc/passwd
or /etc/group, cannot exist in Active Directory with the same name.

Set 3) These users & groups (Also known as the Well Known SIDs) are
mapped by windbind into the 'BUILTIN' domain.

Set 4) These users & groups are your Active Domain ones that you
also want to be Unix users & groups.

This leads to what ranges you should use in smb.conf:

You should never use any range that starts below 500, it will interfere
with the Unix system users & groups.

You should never use any range that starts at 1000, using this number
will mean that you will not be able to have ANY local Unix users or
groups and then what will do if there is a problem and AD is down and
'root' is corrupt (or your system uses sudo). I know it isn't likely to
happen, but it could.

Do not use anything in the range '500-999', these numbers could be used
by Unix.

Should you put the '*' domain after the 'DOMAIN', well no, not in my
opinion, by doing this, you are putting hurdles in your way if your
users & groups grow to the point that you need to raise the high
'DOMAIN' range and cannot because it would be higher than the '*'
domain low range.

So this leads us to what the Samba wiki recommends:
Use '3000-7999' for the '*' range
Use '10000-999999' for the 'DOMAIN' range


More information about the samba mailing list