[Samba] idmap problems

Rob Mason rob at acasta.co.uk
Wed Jan 2 14:42:39 UTC 2019

Many thanks Rowland.  Yes, I don't understand idmaps, but I _think_ I'm getting it. I have added the gid of 60002 for Domain Admins and undertaken some 'chgrp' tasks. I've now got a domain member with shares that presents the correct ownership. All looks good.

I'm still slightly confused why I have two ranges within my member smb.conf:

idmap config * : backend = tdb

idmap config * : range = 3000-29999       ========> reserved for BUILTIN ??? (and '3000000' range on the DC?)

idmap config SAMDOM:backend = ad

idmap config SAMDOM:schema_mode = rfc2307

idmap config SAMDOM:range = 30000-99999      ========> my uid/gid range for SAMDOM local domain accounts ???

If I only require the domain user/admin accounts, I don't understand the need for the first (BUILTIN?) range.


Message: 9

Date: Wed, 2 Jan 2019 09:11:32 +0000

From: Rowland Penny <rpenny at samba.org<mailto:rpenny at samba.org>>

To: samba at lists.samba.org<mailto:samba at lists.samba.org>

Subject: Re: [Samba] idmap problems

Message-ID: <20190102091132.27a16d48 at devstation.samdom.example.com<mailto:20190102091132.27a16d48 at devstation.samdom.example.com>>

Content-Type: text/plain; charset=US-ASCII

On Wed, 2 Jan 2019 00:29:07 +0000

Rob Mason via samba <samba at lists.samba.org<mailto:samba at lists.samba.org>> wrote:

> I've spent some time updating, upgrading and generally consolidating

> an old Samba AD. I've managed to remove a very old unsupported (4.2)

> Samba AD DC following migration to a  couple of new DC's - that seems

> to have worked out OK. Workstation logons and GPO's working fine.


> I'm now left with one problem after joining a new Samba (4.5.12)

> member server to the domain for file sharing - the idmaps are

> inconsistent (I suspect this is a remnant from how the old DC was

> originally built). This is giving me problems setting up file shares.


> [global]

>         workgroup = SAMDOM

>         realm = SAMDOM.INTRA

>         netbios name = FILESERVER

>         security = ADS

>         dns forwarder =

>         winbind nss info = rfc2307

>         idmap config * : backend = tdb

>         idmap config * : range = 3000-5900

>         idmap config SAMDOM:backend = ad

>         idmap config SAMDOM:schema_mode = rfc2307

>         idmap config SAMDOM:range = 6000-9999999

>         template homedir = /home/%U

>         template shell = /bin/bash

>         winbind use default domain = true

>         winbind offline logon = false

>         winbind enum users = yes

>         winbind enum groups = yes

>         vfs objects = acl_xattr

>         map acl inherit = Yes

>         store dos attributes = Yes

>         # the user.map contains just one mapping for

> root-admininstrator username map = /etc/samba/user.map [test123]

>         path = /data

>         read only = no


> My problem is that the builtin accounts and domains accounts are mixed

> within the same ranges. Domain users appeared to originally start at

> 30000, with domain groups from 60000. Somewhere along the way, perhaps

> during upgrade, the idmaps have gotten mixed. As a consequence, I

> cannot create shares as the member server is not enumerating the

> builtin accounts (except the group 'domain users'

> with gid of 60001).


> The following output shows the current mapping from the AD DC::


> # getent group

> root:x:0:

> ...

> SAMDOM \domain admins:x:3000008:

This shows that 'Domain Admins' doesn't have a 'gidNumer' attribute

> SAMDOM \domain users:x:60001:

Whilst 'Domain Users' does


> # getent passwd

> SAMDOM\user1:*:30002:60001::/home/SAMDOM/user1:/bin/bash

> SAMDOM\user2:*:30007:60001::/home/SAMDOM/user2:/bin/bash

> SAMDOM\user3:*:30008:60001::/home/SAMDOM/user3:/bin/bash

> SAMDOM\user4:*:30009:60001::/home/SAMDOM/user4:/bin/bash


> Now on the member server::


> # getent passwd

> user1:*:30009:60001:User1:/home/ user1:/bin/false

> user2:*:30008:60001: User1:/home/ user2:/bin/false

> user3:*:30002:60001: User1:/home/ user3:/bin/bash

> user4:*:30007:60001: User1:/home/ user4:/bin/false

Why, if the users have have a 'uidNumber' attribute, are they different between the DC and the Unix domain member ?

Also, why isn't the template shell being used on the Unix domain member ?


> # getent group

> root:x:0:

> ...

> domain users:x:60001:


> I don't see Domain Admins or other groups and builtin users on the

> member server. This means I cannot grant Domain admins ownership of

> directories when I create shares. Does this mean I will have to

> manually re-map the uid/gid attributes in the AD DC???


I would suggest creating a new group e.g. Unix Admins, add this group to Domain Admins, give the new group a gidNumber attribute and use this group on Unix instead of Domain Admins.

OK, you have problems, one being that you don't understand the differences between how idmap works on a DC and a Unix domain member.

on a DC, the ID mapping is done in idmap.ldb using 'xidNumber'

attributes (the '3000000' numbers) and these will be different on each DC.

On a Unix domain member using the winbind 'ad' backend, you will need to add 'uidNumber' & 'gidNumber' attributes. These numbers will need to be inside the range you set in smb.conf (in your case '6000-9999999') anything outside the range will be ignored.

You do not need to use different ranges for users & groups.

If you do give a user a 'uidNumber' attribute, or a group a 'gidNumber'

attribute, these will be used on a DC instead of the 'xidNumber'

attributes, though you will probably need to run 'net cache flush'


Rob Mason

Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified QGCE013.
Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered 934 6797 75.

More information about the samba mailing list