[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers

Rowland Penny rpenny at samba.org
Mon Jan 15 16:24:44 UTC 2018

On Mon, 15 Jan 2018 16:18:57 +0100
Kacper Wirski via samba <samba at lists.samba.org> wrote:

> Hello,
> I understand the OP, I was asking some time ago similar question, but
> it was in relation to samba domain member. I couldn't get backend: ad
> to work for machine accounts, so i switched to idmap: rid and it
> solved everything. I tried manually adding UID and GID to Domain
> Computer group and to machine accounts, but it didn't seem to work
> properly, so I gave up especially that RID was perfectly fine.
> On samba AD DC idmapping is done automatically, that is if no UID/GID 
> value is present in AD via RFC2307. I've noticed that samba by
> default assigns UID/GID from 300000 and just increments +1, and by
> default when setting

This is only on a DC and these use 'xidNumber' attributes, which start
at 3000000
> rfc2307 start form 10000, so within single DC there should be no
> problem unless you'll somehow manage to reach from 10000 to 300000
> users.

You can start the rfc2307 uidNumber & gidNumber attributes from
wherever you like, but ADUC uses 10000. And whatever number you use
will not be a problem, mainly because the uidNumber & gidNumber
attributes will be used instead of the xidNumber attributes.
> The issue is keeping it in sync between multiple DC's (I ran into
> this issue some time ago). It might screw up Sysvol NT ACL if machine
> account receives different UID.

What ever method you use, you must do it from the start, changing to
the winbind 'ad' backend will affect the DC.

> In my case I rarely use specific machine accounts in ACL for GPO's.
> And if a mix happens I would re-sync idmap.ldb.

This is what I was trying to point out, you rarely, if ever, need to
give computer accounts a uidNumber.


More information about the samba mailing list