[Samba] UID provided by rid idmap is out of the range imposed in smb.cof

Rowland Penny rpenny at samba.org
Tue Feb 26 13:19:19 UTC 2019

On Tue, 26 Feb 2019 13:57:06 +0100
Andrea Cucciarre' via samba <samba at lists.samba.org> wrote:

> Hello,
> I had a problem with Samba winbind id-mappingĀ  on a system that is
> part of an AD domain.
> In the smb.conf I have the following setting:
> idmap config <domain> : backend = rid
> idmap config <domain> : range = 1000000-3000000
> idmap config <domain> : schema_mode = rfc2307
> winbindd was failing to convert some user SID to UID and in the idmap 
> logs I have the following error:
> Requested id (7003151) out of range (1000000 - 3000000). Filtered!
> I have fixed the issue by increasing the range to 1000000-10000000.
> So it appears that depending on the user SID, the UID generated 
> automatically by Samba rid could be out of the range imposed in
> smb.conf. Is it a bug or I'm just misunderstanding?

No, it isn't a bug, it is how it works, when you use the 'rid' backend
the Unix ID is calculated by this:


So from the info you provided, it becomes this:

ID = 6003151 + 1000000

ID = 7003151

This is above the high range (3000000) and anything outside the range
is ignored.

It does say here:


Under the heading: Planning the ID Ranges

The ranges must be continuous and big enough to enable Samba to assign
an ID for every future user and group created in the domain. 

It looks like you used the wrong range by not setting the high range
high enough ;-)


More information about the samba mailing list