[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers

Prunk Dump prunkdump at gmail.com
Mon Jan 15 18:51:12 UTC 2018

Thank again for your help !

2018-01-12 21:26 GMT+01:00 Rowland Penny <rpenny at samba.org>:
> The problem is, you are thinking in the wrong direction ;-)
> If you give a user a uidNumber, or a group a gidNumber, these will be
> used instead of the xidNumbers found in idmap.ldb, you do not need to
> alter idmap.ldb at all.
> The way ADUC works, is by using a couple of attributes, that, by default
> Samba AD doesn't have. These are 'msSFU30MaxUidNumber' &
> 'msSFU30MaxGidNumber' and they hold the next uidNumber & gidNumber.
> They should be in:
> dn:
> CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
> Where 'samdom' is your lowercase workgroup and
> 'DC=samdom,DC=example,DC=com' is your realm/dns domain.
> If you can write scripts, I am sure you can figure out how to use
> them ;-)
> If not, contact me off list and I will provide a sample.

On my SAM database I have an CN=samdom,CN=ypservers entry :

# ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
# record 1
dn: CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
objectClass: top
objectClass: msSFU30DomainInfo
cn: fichnet
instanceType: 4
whenCreated: 20150630144502.0Z
whenChanged: 20150630144502.0Z
uSNCreated: 3768
uSNChanged: 3768
showInAdvancedViewOnly: TRUE
name: fichnet
objectGUID: e1b63980-512f-451b-a2d7-c4abdbb03a3c
objectCategory: CN=msSFU-30-Domain-Info,CN=Schema,CN=Configuration,DC=net,DC=l
msSFU30MasterServerName: FICHDC
msSFU30OrderNumber: 10000
msSFU30Domains: fichnet
distinguishedName: CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=Syste

But there is no msSFU30MaxUidNumber and msSFU30MaxGidNumber values.

Do you know if this current entry was created by samba or by some
Windows administration tools ?
Do you know if I need to add a class to add the msSFU30MaxUidNumber
and msSFU30MaxGidNumber values ?
(I don't know how to read schema specification directly inside the database)

2018-01-15 16:18 GMT+01:00 Kacper Wirski via samba <samba at lists.samba.org>:
> Hello,
> I understand the OP, I was asking some time ago similar question, but it was
> in relation to samba domain member. I couldn't get backend: ad to work for
> machine accounts, so i switched to idmap: rid and it solved everything. I
> tried manually adding UID and GID to Domain Computer group and to machine
> accounts, but it didn't seem to work properly, so I gave up especially that
> RID was perfectly fine.

Thanks, but I also use the others rfc2307 attributes. Not only
uidNumber and gidNumber. So I need to keep all the rfc2307 values
updated and I can't switch to RID. Moreover, the file system is also
exported by NFSv4 so I need consistant ID on all the

On my Linux clients I use a special script to join the computer to the
domain. So there is no problem setting the host parameters in AD
database. But from Windows client I have no control.

Thank again !

