[Samba] Samba AD-DC idmap config

Rowland penny rpenny at samba.org
Wed Oct 16 20:05:44 UTC 2019

On 16/10/2019 20:37, John Redmond via samba wrote:
> Rowland - Thanks.  The idmap lines belong in the file-server domain member,
> not the domain controller, right?
Yes, they are perfectly valid on a Unix domain member.
> Using ADUC on a Windows 10 machine, do you have any guidance on what GIDs
> and UIDs (numbers and range) to use in setting the default AD users and
> groups?  In setting the  "idmap config * : range= "  in the smb.conf file
> on the file server what range should I use?  I assume that is for the
> Linux/local users on the file server instead of the domain users.
There are two ranges you need to set, the '*' domain for the Well Known 
SIDs and the 'DOMAIN' (where 'DOMAIN' is your AD domain) range. It might 
help if you read this:


That explains it without having to type it whole over again ;-)

The only thing to stress is, the only one of the AD Well Known SIDS that 
must have a Unix ID is the 'Domain Users' group which must have a gidNumber.


More information about the samba mailing list