[Samba] Domain member?

Rowland Penny rpenny at samba.org
Tue Oct 26 12:25:07 UTC 2021

On Tue, 2021-10-26 at 14:05 +0200, Joachim Lindenberg via samba wrote:
> Hello Rowland, Louis,
> > You do not have any 'idmap config' lines (I think I mentioned this
> > already)
> You did, and I replied that the documentation suggests I don´t need
> it.

It didn't say that and I have altered it.

>  I am also not using idmap on my DCs either,

Good, because they wouldn't do anything anyway.

>  where OpenSSH works with Kerberos. If there is a fine line inbetween
> the two setups, then I am missing that in the docs.

OK, a Samba AD DC uses idmap.ldb, where RID's are mapped to xidNumber
attributes (yes it is xidNumber, not uidNumber or gidNumber), these
attributes can also be 'ID_TYPE_BOTH'. This means that a group can also
be a user, it is like this so groups can own things in Sysvol. You will
also find that the user & group ID's start at 3000000 and these are
only used on a DC.
On a Unix domain member, you need to use the rid, autorid or ad winbind
backend (there are others, but they are the main ones). The rid and
autorid backends calculate the ID's from the user or group RID. The ad
backend will only work if you add the relevant RFC2307 attributes to


More information about the samba mailing list