[Samba] Problem idmap_ad

Rowland Penny rpenny at samba.org
Wed Dec 14 10:51:11 UTC 2022

On 14/12/2022 10:26, Balke IT via samba wrote:
>> Lets see if I have got this correct:
>> Your computer is joined to an AD domain.
>> You have users in AD with uidNumber attributes.
>> Domain Users has a gidNumber attribute.
>> All these '*idNumber' attributes hold numbers inside the '1001-116999'
>> range.
>> Is all that correct ?
>> can you also post your entire smb.conf
>> Rowland
> Yes, all these are correct including the "Domain Users" which has the gid of 100 which points to the local "users" group.

That could be part of your problem.

If you use the 'ad' idmap backend on a Unix domain member, all uidNumber 
and gidNumber attributes must contain a number inside the DOMAIN range 
you set in smb.conf (in your case 1001-116999) and '100' isn't inside 
your range. What could be happening here is, the users that are having 
problems do not have a gidNumber attribute. They are falling back to the 
primary group 'Domain Users', which, for all intents and purposes, does 
not have a valid gidNumber. This means that, to the 'DOMAIN' domain, 
they do not exist, so they are mapped to the default '*' domain and are 
denied access.

Can you please reply to this post, rather than posting a new post, which 
is what you appear to be doing, this breaks threads.


More information about the samba mailing list