[Samba] Problem idmap_ad

Rowland Penny rpenny at samba.org
Wed Dec 14 09:45:26 UTC 2022

On 14/12/2022 09:14, Balke IT via samba wrote:
> Sorry for the spam. My mailserver got an error message after trying to send via IPV6 four times and then switched back to IPV4. But back to the topic:
> The change to rid is our temporary workaround, nevertheless the version with idmap config DOMAIN:backend = ad gives the problems that I mentioned in my first post, several users can use the shares and others can't without any clue why. They have random (old) unix IDs and other users with a uidNumber between them cannot use the share, loads of logs with loglevel 10 did not give any hint.
> So this is the version that does not give all users access to the shares:
>          idmap config * : backend = tdb
>          idmap config * : range = 117000-117999
>          idmap config DOMAIN:backend = ad
>          idmap config DOMAIN:schema_mode = rfc2307
>          idmap config DOMAIN:range = 1001-116999
>          idmap config DOMAIN:unix_nss_info = no
>          idmap config DOMAIN:unix_primary_group = yes
>          template shell = /bin/bash
>          template homedir = /home/%U
>          kerberos method = secrets and keytab
>          winbind nss info = template
>          winbind use default domain = yes
>          winbind enum users = yes
>          winbind enum groups = yes
> Best Regards
> Matthias Mueller

Lets see if I have got this correct:

Your computer is joined to an AD domain.
You have users in AD with uidNumber attributes.
Domain Users has a gidNumber attribute.
All these '*idNumber' attributes hold numbers inside the '1001-116999' 

Is all that correct ?

can you also post your entire smb.conf


More information about the samba mailing list