[Samba] id mapping on a dc+file server

Rowland penny rpenny at samba.org
Fri Aug 9 08:25:06 UTC 2019

On 09/08/2019 09:00, Pisch Tamás via samba wrote:
> Thanks for your answer. It is clearer now for me.
>>>> It is probably a bit late to change now, but there is only one way to
>>>> get the same numeric ID everywhere and that is to use the 'ad' winbind
>>>> backend.
> So, on the Linux clients?
Perhaps I should have said 'everywhere on Unix'
>> No there isn't anything really wrong with the documentation, you are
>> just misunderstanding it, so it sounds like it needs making plainer.
>> You cannot add the 'idmap config' lines to a smb.conf on a DC, the
>> id-mapping is done via idmap.ldb, the users & groups are mapped to
>> xidNumber attributes in there.
> And is it hidden? I mean, 'samba-tool user show username' don't show
> that attribute.
Not hidden as such, it is in a different .ldb file, 'samba-tool user 
show' displays the users object from 'sam.ldb' and, as I said, 
id-mapping on a DC is done via 'idmap.ldb', this is where the 
'xidNumber' attributes are stored.
>> If you give normal users & groups a uidNumber or gidNumber, these will
>> be used instead of the xidNumbers on DCs, you will need to use the
>> winbind 'ad' backend on Unix domain members to use the uidNumber &
>> gidNumber attributes.
> I use rid on fileserver. So, when I get the users' uid and gid on it,
> and set them as uidNumber and gidNumber on dc3, and I use the net
> cache flush on dc3, then should I see  the same user and group id on
> dc3 as on fileserver1, for example with getent passwd?
> I tested it with an existing user. Now, I see the uidNumber, and
> gidNumber (set by myself) with samba-tool user show user1, but the
> getent passwd A\\user1 shows the old user, and group id.

The DC will automatically use the uidNumber and gidNumber, but to use 
them on a Unix domain member, you have to follow a few simple rules:

You have to use the winbind 'ad' backend

You have to give any users you require visible on Unix a uidNumber attribute

You have to give 'Domain Users'  a gidNumber attribute.

You have to give any group you require to be visible a gidNumber

All of these numbers must be inside the DOMAIN range you set in the 
smb.con on the Unix domain member.


More information about the samba mailing list