[Samba] ID Mapping

Rowland penny rpenny at samba.org
Tue Nov 24 08:30:09 UTC 2020

On 24/11/2020 04:51, 王金磊 via samba wrote:
> I followed your steps, my smb.service is inactive
> [root at localhost samba]# id jin
> uid=30000(jin) gid=30000(domain users) groups=30000(domain users),30001(xts)
> And I new a user in AD, named "0001", make "xts" is the only group and primary group of "0001",
> but, I got:
> [root at localhost samba]# id 0001
> uid=30001(0001) gid=30000(domain users) groups=30000(domain users),30001(xts)
> May it is a bug of samba?

No, it is a bug in your smb.conf, it is incorrectly set.

First, every AD domain users primary group is Domain Users, all other 
groups, a user is a member of, are the users supplementary groups.

I note you are using a red-hat distro, are you also using sssd ? If so, 
I suggest you stop, especially now that you are using Samba 4.10.4. Up 
until Samba 4.8.0 the smbd deamon could 'talk' direct to AD, this was 
stopped at 4.8.0 and now 'smbd' has to go through winbind. This all 
depends on smb.conf being set up correctly.

Your 'idmap config' lines should be similar to these:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config TEST : backend = rid
idmap config TEST : range = 10000-999999

That is if you use the winbind 'rid' backend. You can find more info here:



More information about the samba mailing list