[Samba] id mapping on a dc+file server

Rowland penny rpenny at samba.org
Thu Aug 8 12:58:29 UTC 2019

On 08/08/2019 13:37, Pisch Tamás via samba wrote:
> Hi,
> I have a question again about my test environment. I have dc1, dc2,
> fileserver1, and dc3. dc3 is on an another site, and is functioning as
> fileserver too. As I read in the documentation, I cannot (shouldn't) use
> idmap config parameters in the smb.conf on my dc3. Unfortunately, first I
> copied that parameters too from fileserver1 (I use rid backend on
> fileserver1). So, I removed the idmap config lines from the dc3 smb.conf.
> When I create a file from Windows on a dc3 share, the owner is ok
> (DOMAIN\user), but the group is users. From the dc3 command line, I can set
> user, and group ownership correctly.
> How can I correct the setup on dc3?
> dc3:
> [global]
> bind interfaces only = Yes
> dns forwarder =
> dos charset = CP852
> interfaces = lo enp0s3
> logon path = ""
> name resolve order = lmhosts host bcast
> netbios name = DC3
> realm = A.B.HU
> server role = active directory domain controller
> template homedir = /home/%D/users/%U
> template shell = /bin/bash
> unix charset = UTF8
> username map = /etc/samba/user.map
> workgroup = A
> idmap_ldb:use rfc2307 = yes
> csc policy = disable

Nothing to do with your problem, but remove these lines from the smb.conf:

logon path = ""
username map = /etc/samba/user.map

The first is doing nothing and the second is probably interfering with 
the user mapping in idmap.ldb.

It is probably a bit late to change now, but there is only one way to 
get the same numeric ID everywhere and that is to use the 'ad' winbind 
backend. The required uidNumber & gidNumber attributes will override the 
xidNumber attributes used on a DC e.g. if you give Domain Users the 
gidNumber '10000', then all DCs will use '10000' for Domain Users and if 
you use the 'ad' backend on the fileserver, Domain Users will have the 
ID '10000'


More information about the samba mailing list