[Samba] id mapping on a dc+file server

Rowland penny rpenny at samba.org
Thu Aug 8 14:44:12 UTC 2019

On 08/08/2019 14:47, Pisch Tamás via samba wrote:
>>> Hi,
>>> I have a question again about my test environment. I have dc1, dc2,
>>> fileserver1, and dc3. dc3 is on an another site, and is functioning as
>>> fileserver too. As I read in the documentation, I cannot (shouldn't) use
>>> idmap config parameters in the smb.conf on my dc3. Unfortunately, first I
>>> copied that parameters too from fileserver1 (I use rid backend on
>>> fileserver1). So, I removed the idmap config lines from the dc3 smb.conf.
>>> When I create a file from Windows on a dc3 share, the owner is ok
>>> (DOMAIN\user), but the group is users. From the dc3 command line, I can set
>>> user, and group ownership correctly.
>>> How can I correct the setup on dc3?
>>> dc3:
>>> [global]
>>> bind interfaces only = Yes
>>> dns forwarder =
>>> dos charset = CP852
>>> interfaces = lo enp0s3
>>> logon path = ""
>>> name resolve order = lmhosts host bcast
>>> netbios name = DC3
>>> realm = A.B.HU
>>> server role = active directory domain controller
>>> template homedir = /home/%D/users/%U
>>> template shell = /bin/bash
>>> unix charset = UTF8
>>> username map = /etc/samba/user.map
>>> workgroup = A
>>> idmap_ldb:use rfc2307 = yes
>>> csc policy = disable
>> Nothing to do with your problem, but remove these lines from the smb.conf:
>> logon path = ""
> It disables roaming profile
>> username map = /etc/samba/user.map
>> The first is doing nothing and the second is probably interfering with
>> the user mapping in idmap.ldb.
>> It is probably a bit late to change now, but there is only one way to
>> get the same numeric ID everywhere and that is to use the 'ad' winbind
>> backend.
> According to https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC:
> "Identity Mapping works different on a Samba domain controller (DC)
> than on a domain member. For example, setting up an ID mapping back
> end, such as ad (RFC2307) or rid, in the smb.conf file is not
> supported an can cause the samba service to fail.
>   For details, see Accessing Shares on Domain Controllers Having idmap
> config Parameters Set in the smb.conf File Fails." (At the and, it is
> a wrong link, but there is a paragraph related this topic:
> https://wiki.samba.org/index.php/Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File)
I have fixed the broken link, thanks for pointing it out.
> This is why I removed the idmap  config entries from the dc3 smb.conf.
> "On a Samba Active Directory DC, Winbindd always reads the user IDs
> (UID) and group IDs (GID) from the values set in the uidNumber and
> gidNumber attributes set in the AD objects. For users and groups not
> having a UID or GID assigned, an ID is generated locally on the DC and
> stored in the /usr/local/samba/private/idmap.ldb file."
> There isn't uidNumber, and gidNumber in my users' objects.
> If you are correct, then the documentation is wrong/outdated.

No there isn't anything really wrong with the documentation, you are 
just misunderstanding it, so it sounds like it needs making plainer.

You cannot add the 'idmap config' lines to a smb.conf on a DC, the 
id-mapping is done via idmap.ldb, the users & groups are mapped to 
xidNumber attributes in there.

If you give normal users & groups a uidNumber or gidNumber, these will 
be used instead of the xidNumbers on DCs, you will need to use the 
winbind 'ad' backend on Unix domain members to use the uidNumber & 
gidNumber attributes.


More information about the samba mailing list