[Samba] How to Change UIDs

Rowland penny rpenny at samba.org
Thu Sep 5 14:30:17 UTC 2019

On 05/09/2019 15:12, Tyrus Shivers via samba wrote:
> Hello,
> I am using Winbind and Samba to tie in Linux VMs with a Windows DC for
> authentication. The UIDs are automatically assigned when I create a new
> user in Active Directory.
As you are using the winbind 'rid' backend, I take it that UID == 
Windows SID
> I need to manually change the UIDs of my users to a UID that is used on
> another network so they can access a specific share. How can I change the
> UID successfully and still be able to authenticate with the DC. Also, how
> can I manually assign UIDs in the future for new users?

You cannot, the 'SID' will be in the format:


The 'xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is what identifies the domain and 
the 'RID' will be (for normal users and groups) be a unique number that 
is equal to or larger than '1000'.

if you change the 'xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' it becomes a 
different domain and will not be recognised by the existing domain and 
may cause it to fail. If you change the RID, it will become a different 
user, group or computer etc

> My smb.conf is below:
> workgroup = DOMAIN
> password server = server.domain.com
Remove the password server line, you should allow Samba to find the most 
appropriate DC.
> realm = DOMIAN.com
> security = ads
> idmap config * : range = 3000-9999
> idmap config * : backend = rid
> idmap config DOMAIN : range = 10000-19999
> idmap config DOMAIN : backend = rid
> allow trusted domain = no
If you set 'allow trusted domain = yes' (or just remove the line), then 
you should be able to set up a trust between your domains to do what you 
> template shell = /bin/bash
> kerberos method = secrets only
> winbind use default domain = true
> winbind offline logon = false
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> encrypt passwords = yes
> restrict anonymous = 2
> template homedir = /home/%D/%U

More information about the samba mailing list