[Samba] DM 3.6.25 -> 4.x

Rowland Penny rpenny at samba.org
Wed May 30 13:01:48 UTC 2018

On Wed, 30 May 2018 14:17:19 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Not from my experience.
> Tapes have less moving parts and a way longer lifetime than (rotating)
> disks (spinning rust). OK, ymmv but LTO works reliably here.

Your experience is different from mine ;-)
Either the backup didn't work at all (mostly because of the backup
program, but occasionally because of a tape or minor drive problem) or
the drive would, without notice, just decide to die. Mind you this was
on a Unix machine running the OS that decided it owned Linux ;-)

> >> The idmap stuff scares me the most ;-)
> > 
> > Why ? Once you get your head around it, you will probably wonder why
> > yourself ;-)
> Why? because I had to readjust that >3 times at another site, every
> time was like "this is correct" and after a while something else
> popped up.

There are three main winbind backends, but only two are really used on
Unix domain members, the 'ad' and the 'rid' backends. Which you use is
really down to a simple choice, do you want to add posix attrs to AD or
not. If you don't want to add anything to AD, then use the 'rid'
backend. If you do add the posix attrs to AD, then use the 'ad'

Having decided which backend, you then have to decide on the ranges to
use. If you use the 'rid' backend, then good ranges would be 3000-7999
for the '*' domain and 10000-whatever_upper_limit_you_decide for your
DOMAIN (there is a slight problem with this on Debian, they thought it
was a good idea to use the ID 65534 for nobody/nogroup, but you can
work around this). This will lead to to user & group IDs starting from

If you use the 'ad' backend, things are a little different, you
probably can use the same '*' range as the 'rid' backend, but the 
DOMAIN range will depend on the posix attrs in AD, so if the lowest
uidNumber or gidNumber in AD is '10000', you could start at '10000'

Things to note:
If you place the '*' range below the 'DOMAIN' range, you can easily
expand the 'DOMAIN' range by increasing the upper range.

A user can have the same ID as a group, they will never be mixed up.

A 'rid' user with the ID 11000 is very very unlikely to be the same user
as an 'ad' user with the same ID. i.e. If you run the 'ad' backend on
one Unix domain member, but the 'rid' backend on another, your users
will have different ID numbers.

If you do not have the 'netbios name' line in smb.conf, you can use
the smb.conf on all Unix domain members in the domain and you will
always get the same numeric IDs.


More information about the samba mailing list