[Samba] idmap range

Stefan G. Weichinger lists at xunil.at
Wed Mar 23 10:23:50 UTC 2022

greetings, it's been a long time since I posted here.

So far everything went smooth regarding my samba domains.

today I wanted to edit a GPO and get errors in RSAT ("wrong parameter"). 
Checked sysvol ACLs, something is wrong.

"sysvolreset" takes a long time and always says:

idmap range not specified for domain '*'


hmm. Correct. My smb.conf on that DC (4.14.12):

# samba-tool  testparm
INFO 2022-03-23 11:22:14,074 pid:3766171 
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb 
config files from /etc/samba/smb.conf
INFO 2022-03-23 11:22:14,074 pid:3766171 
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: Loaded 
services file OK.
Press enter to see a dump of your service definitions

# Global parameters
	disable spoolss = Yes
	dns forwarder =
	log level = 1
	netbios name = DC2
	printcap name = /dev/null
	realm = MYDOM.AT
	server role = active directory domain controller
	template shell = /bin/bash
	time server = Yes
	usershare path =
	winbind offline logon = Yes
	workgroup = BUERO
	sdb:schema update allowed = no
	idmap_ldb:use rfc2307 = yes

	path = /var/lib/samba/sysvol/pilsbacher.at/scripts
	read only = No

	path = /var/lib/samba/sysvol
	read only = No


What do I set idmap range to while NOT breaking the existing users/groups?

Will that help me to get correct ACL editing perms again?

thanks, regards, Stefan

More information about the samba mailing list