[Samba] Sample smb.conf for ADs authentication

Rowland Penny rpenny at samba.org
Fri Dec 14 13:58:05 UTC 2018

On Fri, 14 Dec 2018 08:15:04 -0500
Gilbert Soucy <gsoucy at 36pix.com> wrote:

> >> Is your short domain name (aka workgroup) really the same as your
> >> dns domain ?
> No, I replace some strings before replying for confidentiality and I
> made a typo there.
> Here is the output:
> [root at server samba]# net ads join -U user
> Enter use's password:
> Using short domain name -- DOMAIN
> Joined 'SERVER' to dns domain 'domain.com'
> >Why are you using '0-499' for the '*' domain ?
> >The '*' domain is for the 'Well Known SIDs' and anything outside the
> '>DOMAIN' domain, you are using the same numbers as the Unix system
> >users & groups.
> >
> >Again, why '500-20000' for the 'DOMAIN' domain ?
> I am trying to update an existing system that was running on ldap and
> has exsting users and files.
> The users were defined in that range. It seems not obvious to change
> the id of all files and folders.
>  Is it an issue ?  I can try to change the id in smb.conf for a test
> but my back compatibility issue will still be there.

Yes it is an issue.

As I said, 0-500 is reserved for Unix system users and groups (it's
actually 0-999) so you cannot use these numbers for AD

Was the old ldap machine also a Samba PDC ?
If so, then use classicupgrade.

Better still, set up a new AD domain and transfer your users, groups
and data to this.


More information about the samba mailing list