[Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares

Rowland Penny rpenny at samba.org
Fri Mar 2 09:37:03 UTC 2018

On Fri, 2 Mar 2018 14:32:15 +1100
Norman Gaywood <ngaywood at une.edu.au> wrote:

> On 1 March 2018 at 18:49, Rowland Penny <rpenny at samba.org> wrote:
> >
> > > idmap range not specified for domain '*'
> > > ERROR: Invalid idmap range for domain *!
> > >
> >
> > You haven't set the 'idmap config' lines correctly, which may mean
> > you are using sssd instead. If this is the case, then you are
> > asking in the wrong place, you need to ask on the sssd-users
> > mailing list.
> >
> After reading a lot about idmap conf and idmap backends, I'm thinking
> that what I've been doing is not expressible with idmap.
> What I need is what is described, much better than I did, here:
>  https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP
> That is:
> Samba will authenticate against AD, and then utilize the normal
> 'getent' system calls to gather the uid/gid numbers, and those will
> come from OpenLDAP, and/or the local system files as configured
> within the nsswitch.conf file.
> Is this type of setup still possible?

Your Samba machine can be a Unix active directory domain member or it
can be a member of an NT4-style domain that uses ldap, it cannot be
It can also authenticate from an ldap server on another machine, in
this case, it wouldn't be a domain member.
It should be possible to authenticate to the ldap server (or AD), but
you are getting into a bit of a mess here. Your users will need to
exist (separately) everywhere.  

I think you should consider just joining the Samba machine to the AD
domain and use the 'rid' backend. This way, your users & groups are
only stored in one place and you do not need to add anything to AD.


More information about the samba mailing list