[Samba] suddenly change: idmap uid + gid

Rowland penny rpenny at samba.org
Tue Nov 5 09:36:10 UTC 2019

On 04/11/2019 18:52, Alexey A Nikitin wrote:
> On Sunday, 3 November 2019 01:41:18 PST Rowland penny via samba wrote:
>> As I said, you cannot use 'winbind use default domain = yes' with
>> 'autorid', it makes all users and groups members of the same domain,
>> this is probably what has happened here.
>> Remove the line, this should stop it happening again
>> If you have only one domain, then you shouldn't be using autorid, you
>> should be using rid instead, unfortunately it is probably too late now.
> Is it OK to use autorid for * when you have rid configured for the domain of your primary user on a given machine? E.g., if there is a forest of, say, users.example.com, dom1.example.com, dom2.example.com, and the primary user of the machine is in users.example.com, is it OK to have config like this:
>          idmap config * : backend = autorid
>          idmap config * : range = <range>
>          idmap config * : rangesize = <subrange>
>          idmap config USERS : backend = rid
>          idmap config USERS : range = <range>
> If yes, what about the same config for the case when USERS (users.example.com) is the only domain? My understanding is in a single domain situation this config shouldn't cause any issues with 'winbind use default domain = true', and in the multiple domains situation this would cause trouble authenticating users from domains other than USERS but should work OK for the primary domain, is that correct?

There is no point in using 'rid' with 'autorid', they both do the same 
thing, they map users using the users SID.

If you have multiple domains, then the easiest way to set up smb.conf is 
by using using 'autorid', elsewise you would have to set up multiple 
'idmap config' blocks for each domain.

If you only have one domain, then you could use the 'ad' or 'rid' 
winbind backend. If you do not use the DC as a fileserver, then the 
'rid' backend is probably the one to use, this way you do not have to 
add anything to AD.

If you want to have the same ID everywhere (you are using the DC as a 
fileserver) then you will have to use the winbind 'ad' backend and add 
RFC2307 attributes to AD.


More information about the samba mailing list