[Samba] wbinfo -U id gives different users on same dc

Rowland Penny rpenny at samba.org
Tue Feb 13 14:20:00 UTC 2018

On Tue, 13 Feb 2018 15:52:13 +0200
Özkan Göksu <ozkan.goksu at usishi.com> wrote:

> Thank you for reply Rowland.
> Sorry for my typo. I intended to change  sm--to-->test but i forget to
> change other lines.
> So my original config is below:
>         workgroup = sm
> >         realm = sm.pvt
> >         server string = %h Test Host
> >         security = ads
> >         encrypt passwords = yes
> >         idmap config sm.pvt : backend = ad
> >         idmap config sm.pvt : range = 10000-20000
> >         idmap config sm.pvt : schema_mode = rfc2307
> >         idmap config * : range = 8000-9000
> Honestly I am not sure about using ads backend at all. I have read
> samba documents. As rid backend use local database and it may get
> corrupted, I chose ad backend.
> On the other hand I should not install any extensions on Windows
> Active Directory server. Samba documents tells something about
> installing unix extensions but as far as I see this is not a must for
> ads.
> So it would be best if someone could help me understanding about rid
> vs ads. I suspect my problem depends on it.

OK, if you cannot add anything to AD, then you cannot use the winbind
'ad' backend, so you will have to use the 'rid' backend.

The 'rid' backend does not use a local database, it use the AD
database. The users (or groups) ID is calculated from the AD objectsid,
this will be in the form:


The last portion is the RID '2130' and is unique in the domain, the
rest identifies the domain.

The winbind 'rid' calculates the ID from the RID and the lower range
you set in AD with this calculation:


BASE_RID is 0, so it is really:


So, using your lower range and the RID from above, it becomes

ID = 2130 + 10000

ID = 12130

If you use the same smb.conf on all Unix domain members in the domain,
you will always get the same Unix ID.


More information about the samba mailing list