[Samba] idmap config DOMAIN Not Wroking

Rowland penny rpenny at samba.org
Thu May 30 19:23:47 UTC 2019

On 30/05/2019 14:03, Banks, David (db2d) via samba wrote:
> So, after reading many samba setup pages I was under the impression that “properly” configuring idmap for an AD domain should look something like this

Did you read these:



>          security = ADS
>          idmap config * : backend = tdb
>          idmap config * : range = 10000-50000
>          #   DOMAIN
>          realm = DOMAIN.COM<http://DOMAIN.COM>
>          workgroup = DOMAIN
>          idmap config DOMAIN:backend = ad
>          idmap config DOMAIN:range = 100000-500000
>          idmap config DOMAIN:schema_mode = rfc2307
>          idmap config DOMAIN:unix_nss_info = yes
>          idmap config DOMAIN:default = yes
> However, I’ve been wrestling with this for weeks now without success. With these config lines users are not able to log in and wbinfo -i user yields the error
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> If I comment out the domain lines and expand the default range to accommodate the domain range — idmap config * : range 100000-500000 — wbinfo works and users can log in.
Until I read the last part of the above, I couldn't understand your 
problem, everything looked okay apart for the last line 'default = yes' 
which doesn't exist. You also have 'unix password sync = yes', you 
cannot have local Unix users with the same name in AD, you make AD users 
into Unix users.

I think you may have fallen into the common mistake of thinking that 
just setting up winbind ad in smb.conf is sufficient, it isn't. You have 
to give each user a uidNumber attribute containing a unique number in 
the '100000-500000' range. You will also have to give 'Domain Users' a 
gidNumber attribute containg a number inside the same range.


More information about the samba mailing list