[Samba] idmap_ad overlap with domain and sub-domain overlap

Rowland Penny rpenny at samba.org
Wed Apr 18 14:38:25 UTC 2018

On Wed, 18 Apr 2018 10:02:53 -0400
Wvu Hpc via samba <samba at lists.samba.org> wrote:

> Hello,
> We are in process of providing access to a AD connected master domain
> and one its subdomains to one of our SAMBA 4.6.2 file-share servers.
> The samba server is a member of the MASTER domain.  The problem is we
> have cases where the same person has an account in both the master
> domain and the sub domain (long story and we know it is not a good
> practice but something I am powerless to change).  The person (see
> example below for further clarity) has the same unix attributes set
> in both the domain and sub-domain.  When you run testparm it
> complains of having the range overlap but the config seems to be
> working OK.  Is there any reason we should not go forward with this
> config or should we push back and make the users in the subdomain
> have the different uid and gid numbers from the master domain?  The
> benefit of having the same uid and gid is we don't have to worry
> about changing file ownership if a user moves between domains.
> Example:
> MASTER\user : uidNumber = 10000 : gidNumber = 10000
> SUB\user : uidNumber = 10000 : gidNumber = 10000
> SMB Config:
> # Global parameters
> [global]
>         workgroup = MASTER

>         winbind use default domain = Yes
>         idmap config MASTER:schema_mode = rfc2307
>         idmap config MASTER:range = 9000-5000000000
>         idmap config MASTER:default = yes
>         idmap config MASTER:backend = ad
>         idmap config SUB:schema_mode = rfc2307
>         idmap config SUB:range = 9000-5000000000
>         idmap config SUB:backend = ad
>         idmap config * : backend = tdb
>         idmap config *:range = 3000-8999

Firstly, you cannot use 'winbind use default domain = Yes' if you have
more than one domain in smb.conf.
Secondly, as you already know, you cannot the same range for both
domains. Yes I know that some of the users have the same uidNumber in
both domains, but what about the ones that don't ?

I would remove the 'winbind use default domain' line and then use the
'rid' backend for the 'SUB' domain with a different range:

        idmap config SUB:range = 5000000001-10000000000
        idmap config SUB:backend = rid

This will probably entail changing the ownership of files and dirs

You say you have no control of the domains, but I would be having
words with whoever does have control, mentioning words like 'stupid'
and 'idiot' ;-)


More information about the samba mailing list