[Samba] Slow, Incorrect Group Resolution through Winbind

Rowland Penny rpenny at samba.org
Wed Sep 13 16:49:05 UTC 2017

On Wed, 13 Sep 2017 12:37:17 -0400
Sonic <sonicsmith at gmail.com> wrote:

> On Wed, Sep 13, 2017 at 12:22 PM, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> > For the 'DOMAIN' domain you can use several different backends
> > (rid, ad etc) but I wouldn't use the tdb backend, how are you going
> > to be sure you will get the same IDs on all Unix machines ?
> That's exactly why I personally use rid for the DOMAIN domain.
> However, you seemed to suggest that my post was incorrect because I
> left the OP's desired backend (not my choice) in place during my
> reply, which still, as far as I can tell, is not an incorrect
> configuration via the info in the man page. If indeed my answer was
> incorrect than the man page needs some updating.
> Chris

You posted:

Should be more like:
         idmap config STUDENTS : range = 16777216-33554431
         idmap config STUDENTS : backend = tdb

And, yes the smb.conf manpage does say this:

These are suitable for use in the default idmap configuration.

and refer to tdb,tdb2 and ldap. I wouldn't use any of these on a Unix
domain member, because the manpage also says this:

these create mappings of their own using internal unixid counters and
store the mappings in a database.

This means there is no way to ensure that users and groups will get the
same ID on different Unix domain members.


More information about the samba mailing list