[Samba] member domain idmap config ad/rid

Rowland Penny rpenny at samba.org
Tue May 30 21:20:07 UTC 2017

On Tue, 30 May 2017 17:53:19 -0300
Elias Pereira <empbilly at gmail.com> wrote:

> >
> > If you run getent passwd administrator on a DC, you should get
> > something like this:
> > root at dc1:~# getent passwd administrator
> > SAMDOM\administrator:*:0:10000::/home/administrator:/bin/bash
> On my DC getent passwd administrator show nothing. :(
> Is it necessary to map the root user to ADDC as well?
> There is however a gotcha, on any domain
> > joined windows machine there are two 'Administrators'. One is the
> > local Administrator and will not be mapped to 'root' and the other
> > is 'Domain\Administrator', this is the one that is mapped to the
> > Unix user 'root'. So, if you logged in as just 'Administrator, this
> > is very likely to be your problem.
> No, I logged in with user ADDC\administrator

I think both of these may be caused by the same thing.

On a DC, Administrator is mapped in idmap.ldb, if you open this with
ldbedit and search for 500 (Administrators RID), you should find
something like this:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
cn: S-1-5-21-1768301897-3342589593-1064908849-500
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
xidNumber: 0
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500

As you can see, The SID-500 is mapped to the xidNumber '0' and as we
all know, this the ID number for root.

I suggest you check in idmap.ldb on the DC that you have something like
the above. Also check that Administrators object in AD doesn't have a
uidNumber attribute, it shouldn't have and probably doesn't, but check

To get 'getent' to show users on the DC, you need to have
libnss_winbind set up just like on a domain member.


More information about the samba mailing list