[Samba] Problem idmap_ad

Stefan Kania stefan at kania-online.de
Wed Dec 14 11:53:19 UTC 2022

Why do you use idmap-backend ad anyway? Is there a reason not to use the 
backend rid? It's much easier to handle, you don't have to look a 
GidNumber and UidNumer you only need the RID every user has in an Active 

Am 14.12.22 um 10:14 schrieb Balke IT via samba:
> Sorry for the spam. My mailserver got an error message after trying to send via IPV6 four times and then switched back to IPV4. But back to the topic:
> The change to rid is our temporary workaround, nevertheless the version with idmap config DOMAIN:backend = ad gives the problems that I mentioned in my first post, several users can use the shares and others can't without any clue why. They have random (old) unix IDs and other users with a uidNumber between them cannot use the share, loads of logs with loglevel 10 did not give any hint.
> So this is the version that does not give all users access to the shares:
>          idmap config * : backend = tdb
>          idmap config * : range = 117000-117999
>          idmap config DOMAIN:backend = ad
>          idmap config DOMAIN:schema_mode = rfc2307
>          idmap config DOMAIN:range = 1001-116999
>          idmap config DOMAIN:unix_nss_info = no
>          idmap config DOMAIN:unix_primary_group = yes
>          template shell = /bin/bash
>          template homedir = /home/%U
>          kerberos method = secrets and keytab
>          winbind nss info = template
>          winbind use default domain = yes
>          winbind enum users = yes
>          winbind enum groups = yes
> Best Regards
> Matthias Mueller
>> You do not appear to be using the 'ad' idmap backend, you have commented
>> it out.
>> Also, did your finger get stuck, you asked the same question 5 times.
>> Rowland

Stefan Kania
Landweg 13
25693 St. Michaelisdonn

Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre 
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter 

More information about the samba mailing list