[Samba] Samba AD-DC idmap config

John Redmond barkingdoggy at gmail.com
Wed Oct 16 15:06:06 UTC 2019

Following the guidance here,
https://wiki.samba.org/index.php/Idmap_config_ad, I added idmap lines to my
smb.conf file on my Samba 4.7 AD-DC server on Ubuntu 18.04.  Samba no
longer starts and testparm reports that the idmap ranges for the default *
domain and the AD domain are overlapping.  Here's my smb.conf file (FWIW,
if I don't comment security = ADS, server role is set to Member Server):

# Global parameters
        dns forwarder =
        netbios name = DC0
        realm = SAMDOM.COM
        server role = active directory domain controller
        workgroup = SAMDOM
# Global parameters from
#       security = ADS
        log file = /var/log/samba/%m.log
        log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
        idmap config LAN:backend = ad
        idmap config LAN:schema_mode = rfc2307
        idmap config LAN:range = 10000-999999
        idmap config LAN:unix_nss_info = yes
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

        path = /var/lib/samba/sysvol/lsamdom.com/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

End of file.

I'm try to get this working in order to be able to implement a Samba file
server joined to the domain, which AD users will access with winbind.


More information about the samba mailing list