[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?

Rowland penny rpenny at samba.org
Thu Jun 4 14:12:07 UTC 2020

On 04/06/2020 15:07, Harald Hannelius via samba wrote:
> On Thu, 4 Jun 2020, Rowland penny via samba wrote:
>> On 04/06/2020 14:46, Harald Hannelius via samba wrote:
>>> So the best way for me would be to implement the RFC2307/SFU schema 
>>> in the Windows AD "AD", add the same uidNumber for every user in 
>>> "AD" as they had in the old "Samba" domain, and then just join the 
>>> fileservers to the "AD" domain?
>>> Then I change the map-range to be like it was for the "SAD" domain.
>>> It's more like migrating filesystems with users and groups tied to 
>>> files than just migrating users.
>> Yes you could do that, but don't forget groups as well and if you do 
>> not have any groups (usergroups count as no groups), ensure that 
>> Domain Users has a gidNumber inside whatever range you end up with.
> Ouch. I forgot my groups. Have to calculate them in as well.
> And another ouch is I would not be able to utilize my Samba AD which I 
> like much better than the Windows version.
> If I remember correctly, there's no additional idmap range for groups 
> but they are rather inside the same numeric range as users in AD? So I 
> now have duplicate idmap numbers because they originate from users and 
> groups?

Yes, users and groups do use the same range, a user is not a group, so 
you can have a user with the ID 10000 and a group can also have the ID 
10000 e.g. getent passwd rowland

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash


More information about the samba mailing list