[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers

Prunk Dump prunkdump at gmail.com
Fri Jan 12 13:23:36 UTC 2018

Hi Samba team !

I have some conflicts between uid stored in the rfc2307 attributes and
some local uid from idmap.ldb

My network :
I have three samba AD DC with sysvol replication. Sadly, as I don't
have some other machines, the three DC also share my user's Home and
Profile directories. So I need at least :
-> Builtin User/Group ID mapping between DCs (easy)
-> Domain User/Group ID mapping between DCs
-> Computer IDs that does not conflicts with the other ID
(computer accounts are not used on the shares)

How I currenly do :
I don't use ADUC. So to create a new user :
-> I use the samba-tool command always on the same DC (say DC1).
-> One local xidNumber is generated in idmap.ldb
-> So I take the xidNumber and I put it in the rfc2307 uidNumber attribute.

I do the same manner for creatings groups.

The problem come with the computer accounts of Windows machine.
Because as the accounts are created from clients, I have no control on
the ID generation.

How the problem appear :
-> I create a user "myuser" on DC1.
-> A local xidNumber = 3000025 (for example) is created locally and
copied to the rfc2307 attributes.
-> On the others DCs, there is no local xidNumber for "myuser" because
the rfc2307 attribute is already set.
-> Next I join a new Windows computer on the Domain.
-> On DC1, no problem, the local xidNumber prevent conflict with the
new created machine local ID
-> But on DC2, sometimes, a local xidNumber of 3000025 (like myuser)
is allocated for the new computer and myuser lost sometimes the access
to the shares ( sometimes winbind say that the files are owned by
"myuser", sometimes it say that they are owned by the machine).

Is there a way to say to Samba to use different ranges for user/group
xidNumber and computer xidNumber ?

Does someone have an idea how to solve my problem ?

Thanks !


More information about the samba mailing list