[Samba] idmap range and xidNumber

Rowland penny rpenny at samba.org
Sat Feb 29 14:27:07 UTC 2020

On 29/02/2020 14:15, Alexander Kushnirenko via samba wrote:
> Hello,
> There recommended range in Samba share for BUILTIN users is usually (from
> Samba wiki)
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
That is for a Unix domain member and is NOT used on a DC
> but if we check for BUIlTIN\administrators in idmap.tdb on PDC we have
No, it isn't a PDC, it is a DC with the PDC-Emulator FSMO role
> # record 59
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
> So xidNumber is our of idmap range.
xidNumber attributes are only used on a DC and, unless you sync 
idmap.ldb between DCs, they can and will be different on each DC.
> Does this mean that the domain is minconfigured?

Possibly, but not for the reason you think, so please post your smb.conf 


More information about the samba mailing list