[Samba] id mapping on a dc+file server

Pisch Tamás pischta at gmail.com
Thu Aug 8 13:47:55 UTC 2019

> > Hi,
> >
> > I have a question again about my test environment. I have dc1, dc2,
> > fileserver1, and dc3. dc3 is on an another site, and is functioning as
> > fileserver too. As I read in the documentation, I cannot (shouldn't) use
> > idmap config parameters in the smb.conf on my dc3. Unfortunately, first I
> > copied that parameters too from fileserver1 (I use rid backend on
> > fileserver1). So, I removed the idmap config lines from the dc3 smb.conf.
> > When I create a file from Windows on a dc3 share, the owner is ok
> > (DOMAIN\user), but the group is users. From the dc3 command line, I can set
> > user, and group ownership correctly.
> > How can I correct the setup on dc3?
> > dc3:
> > [global]
> > bind interfaces only = Yes
> > dns forwarder =
> > dos charset = CP852
> > interfaces = lo enp0s3
> > logon path = ""
> > name resolve order = lmhosts host bcast
> > netbios name = DC3
> > realm = A.B.HU
> > server role = active directory domain controller
> > template homedir = /home/%D/users/%U
> > template shell = /bin/bash
> > unix charset = UTF8
> > username map = /etc/samba/user.map
> > workgroup = A
> > idmap_ldb:use rfc2307 = yes
> > csc policy = disable
> Nothing to do with your problem, but remove these lines from the smb.conf:
> logon path = ""

It disables roaming profile

> username map = /etc/samba/user.map
> The first is doing nothing and the second is probably interfering with
> the user mapping in idmap.ldb.
> It is probably a bit late to change now, but there is only one way to
> get the same numeric ID everywhere and that is to use the 'ad' winbind
> backend.

According to https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC:
"Identity Mapping works different on a Samba domain controller (DC)
than on a domain member. For example, setting up an ID mapping back
end, such as ad (RFC2307) or rid, in the smb.conf file is not
supported an can cause the samba service to fail.
 For details, see Accessing Shares on Domain Controllers Having idmap
config Parameters Set in the smb.conf File Fails." (At the and, it is
a wrong link, but there is a paragraph related this topic:
This is why I removed the idmap  config entries from the dc3 smb.conf.
"On a Samba Active Directory DC, Winbindd always reads the user IDs
(UID) and group IDs (GID) from the values set in the uidNumber and
gidNumber attributes set in the AD objects. For users and groups not
having a UID or GID assigned, an ID is generated locally on the DC and
stored in the /usr/local/samba/private/idmap.ldb file."
There isn't uidNumber, and gidNumber in my users' objects.
If you are correct, then the documentation is wrong/outdated.

> The required uidNumber & gidNumber attributes will override the
> xidNumber attributes used on a DC e.g. if you give Domain Users the
> gidNumber '10000', then all DCs will use '10000' for Domain Users and if
> you use the 'ad' backend on the fileserver, Domain Users will have the
> ID '10000'

More information about the samba mailing list