[Samba] demote ad dc

Andrea Ballarati andrea.ballarati at gmail.com
Sat Aug 21 09:07:33 UTC 2021

Thank you Rowland.
There are no uid# or gid# in DC's smb.conf.
My users are all win machine using domain for authentication and the 
No access is needed locally on the linux servers (we have 2 file servers 
in syncro for security reasons) or on the home directories.
In this scenario what configuration do you suggest?


Il 20/08/2021 14:11, Rowland Penny via samba ha scritto:
> On Fri, 2021-08-20 at 13:56 +0200, andrea ballarati via samba wrote:
>> Hi Rowland,
>> Rfc2307 is active on the main ad dc but, indeed, preserving id is not
>> an issue for my organization.
> rfc2307 being active on the DC is not the same as using the rfc2307
> attributes. If all your users have uidNumber attributes and groups have
> gidNumber attributes, then you can use the winbind 'ad' backend on Unix
> domain members and get the same users and groups as on the DC.
> However, if you just have 'idmap_ldb:use rfc2307  = yes' in a DC's
> smb.conf and no uidNumber or gidNumber attributes in AD, your users &
> groups will be using xidNumber attributes (note, the 'x' in 'xidNumber'
> is just that, an 'x', it doesn't replace anything), these numbers are
> in the '3000000' range and will never be used anywhere but on a DC.
>> So must I reconfigure the file server from scratch?
> Yes, how easy it is depends on whether you have uidNumbers/gidNumbers
> in AD or not.
> Rowland
ing. Andrea Ballarati
andrea.ballarati at gmail.com
mob. 3481424892

More information about the samba mailing list