[Samba] Problem idmap_ad

edv at balke-hamburg.de edv at balke-hamburg.de
Wed Dec 14 16:33:06 UTC 2022

>On 14/12/2022 10:26, Balke IT via samba wrote:
>>> Lets see if I have got this correct:
>>> Your computer is joined to an AD domain.
>>> You have users in AD with uidNumber attributes.
>>> Domain Users has a gidNumber attribute.
>>> All these '*idNumber' attributes hold numbers inside the '1001-116999'
>>> range.
>>> Is all that correct ?
>>> can you also post your entire smb.conf
>>> Rowland
>> Yes, all these are correct including the "Domain Users" which has the gid of 100 which points to the local "users" group.

>That could be part of your problem.

>If you use the 'ad' idmap backend on a Unix domain member, all uidNumber 
>and gidNumber attributes must contain a number inside the DOMAIN range 
>you set in smb.conf (in your case 1001-116999) and '100' isn't inside 
>your range. What could be happening here is, the users that are having 
>problems do not have a gidNumber attribute. They are falling back to the 
>primary group 'Domain Users', which, for all intents and purposes, does 
>not have a valid gidNumber. This means that, to the 'DOMAIN' domain, 
>they do not exist, so they are mapped to the default '*' domain and are 
>denied access.

>Can you please reply to this post, rather than posting a new post, which 
>is what you appear to be doing, this breaks threads.


Sorry but I have no idea why my mailer is destroying the thread. But about the problem with idmap_id:

We use idmap_ad because until recently we had the configuration with windows sfu (in the meantime migrated to rfc2307) and older samba which was working perfectly fine. As there are thousands of files on three different servers we cannot simply switch the userids.

Tried new groupids starting from 1001, put them into the ads-attributes but still no luck. Some users can correctly access the shares and some can't.

Best Regards

Matthias Mueller

More information about the samba mailing list