[Samba] Upgrade from 4.4.3 to 4.9.13, idmap question

Rowland penny rpenny at samba.org
Tue Oct 22 10:24:22 UTC 2019

On 22/10/2019 10:56, Pablo Sanz Fernández via samba wrote:
> Hi,
> We have samba 4.4.3, provisioned as AD controller, compiled with "./configure --with-shared-modules=idmap_ad" option.
> The smb.conf has the following idmap configuration:
>                  idmap_ldb:use rfc2307 = yes
Well that line is okay in a DC smb.conf
> idmap config EADOM:backend = ad
> idmap config EADOM:schema_mode = rfc2307
> idmap config EADOM:range = 500-149999
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
And the above never did anything on a DC and should never have been there.
> If we update to 4.9.13 (direct upgrade) or any versión greater tan 4.5, we know that we must remove the idmap lines from smb.conf, and also execute the command "samba-tool dbcheck -cross-ncs -fix -yes".
You should never have had them, they did nothing.
> But, does it have any implications with the user and computer accounts id mapping? A computer or user that was in AD before update and change the smb.conf removing the idmap section, will keep his attributes like objectSID untouched?
The objectSID is only used to map an AD user or group to an xidNumber in 
idmap.ldb on a DC or in the ID calculation on a Unix domain member if 
using the 'rid' backend, it is never changed.
> In summary, should we worry that some computer will leave the domain because the upgrade changes some of its account attributes in the AD?

No, your computer should not leave the domain because you remove 
something that should never have been in the DC smb.conf


More information about the samba mailing list