[Samba] idmap_ad overlap with domain and sub-domain overlap

Rowland Penny rpenny at samba.org
Wed Apr 18 15:13:32 UTC 2018

On Wed, 18 Apr 2018 10:52:12 -0400
Wvu Hpc <wvu.hpc at gmail.com> wrote:

> Hi Rowland,
> Thanks for the help and ideally I would like to get rid of the sub
> domain all together but that is probably not going to happen.
> So couple comments and please forgive any of my ignorance.

No problem.

> For your second question, all users in the subdomain who have access
> to the SAMBA server do have uidNumber set and it matches the
> uidNumber set in MASTER.  Since this is the case, would the
> overlapping ranges be OK?  I saw this post (
> https://lists.samba.org/archive/samba-technical/2016-December/117567.html)
> and thought it might indicate it is OK but was not sure?

Yes I know what it says there, but 'man idmap_ad' still says the ranges
mustn't overlap (okay, is says 'disjoint', but this the same thing)

> For 'winbind use default domain = Yes' I thought this would assume the
> default domain for ssh logins as being the master since I have "idmap
> config MASTER:default = yes".  Appears to work as it allows users to
> login without having to specify a domain.  Although, if a user from
> the SUB domain logs in they must specify the SUB\user to login.  Is
> that incorrect?  If I remove use default = yes, users of MASTER must
> also specify their domain during login ... at least that is how it
> seemed during testing?

Setting 'winbind use default domain = yes' means that all your users
will be treated as being members of the 'MASTER' domain, now this might
seem to work for you, but I think it is going to end in tears ;-)

When it comes down to it, they are your domains and you can do as you
wish, all I can say is that I would find another of doing it.


More information about the samba mailing list