[Samba] idmap woes after upgrade

Rowland Penny rpenny at samba.org
Sat May 27 11:45:16 UTC 2017

On Sat, 27 May 2017 11:02:36 +0000
Tim ODriscoll <tim.odriscoll at lambrookschool.co.uk> wrote:

> Hi Rowland,
> On 27 May 2017 11:39:
> > Hmm, you mention:
> >
> > 'idmap_ldb:use rfc2307 = yes' and 'xidNumber'
> > 
> > Is this on a DC or a Unix domain member ?
> This is on a DC. I only have two centOS7 AD DC's in my environment..

OK, you posted that you have these lines in your smb.conf:

 idmap_ldb:use rfc2307 = yes
 idmap config *:backend = tdb
 idmap config *:range = 2000-9999
 idmap config LAMBROOK:backend = ad
 idmap config LAMBROOK:schema_mode = rfc2307
 idmap config LAMBROOK:range = 10000-99999
 idmap config LAMBROOK:unix_nss_info = yes
 idmap config LAMBROOK : unix_primary_group = yes
 winbind nss info = rfc2307

You might as well remove all of them except:

 idmap_ldb:use rfc2307 = yes

The other lines never did anything on a DC.

Unless you manually add uidNumber attributes to users and gidNumber
attributes to groups, id mapping on a DC is done in idmap.ldb and
results in ID numbers in the 3000000 range.

If you rely on idmap.ldb for your ID mappings, you will need to keep
idmap.ldb in sync on both DCs, otherwise you are very likely to get
different user & group IDs on each DC. This is only a concern if you
use the DCs as a fileserver.

You also mentioned [homes], this does not work on a DC, see here:


When you upgraded Samba, did libnss_winbind.so get upgraded as well ?


More information about the samba mailing list