[Samba] AD/RID backends and group mappings on member

Rowland Penny rpenny at samba.org
Wed Mar 23 16:26:52 UTC 2022 

On Wed, 2022-03-23 at 17:01 +0100, L.P.H. van Belle via samba wrote:
> Hai, 
> 
> Im wondering, im testing a bit with backends AD and RID> 
> 
> This part of the smb.conf 
> 
>     ## Map id's outside the ADDOM to tdb files.
>     idmap config * : backend = tdb
>     idmap config * : range = 2000-9999
> 
>     ## Backend AD
>     ## map ids from the domain  the range may not overlap !
> #    idmap config ADDOM : backend = ad
> #    idmap config ADDOM : schema_mode = rfc2307
> #    idmap config ADDOM : range = 10000-3999999
> #    idmap config ADDOM : unix_primary_group = yes
> #    idmap config ADDOM : unix_nss_info = yes
> 
>     ## Backend RID
>     ## map ids from the domain  the range may not overlap !
>     idmap config ADDOM : backend = rid
>     idmap config ADDOM : range = 10000-3999999
>     ## Template settings for login shell and home directory
>     template shell = /bin/bash
>     template homedir = /home/%U
> 
> Before restart and after I change the backend, i run : net cache
> flush
> 
> If i run my server in a RID backend setup and i check my group
> mappings. 
> net groupmap list
> Guests (S-1-5-32-546) -> BUILTIN\guests
> Administrators (S-1-5-32-544) -> BUILTIN\administrators
> Users (S-1-5-32-545) -> 2001
> 
> And again but with the AD backend enabled. 
> net groupmap list
> Guests (S-1-5-32-546) -> BUILTIN\guests
> Administrators (S-1-5-32-544) -> 2000
> Users (S-1-5-32-545) -> BUILTIN\users
> 
> 
> Can someone explain why i see 2 different things here, 
> shouldn't these BUILTIN not be the same. 
> 
> What am i missing here. 

I have no idea what you are missing :-)

Using the winbind 'ad' idmap backend on one Unix domain member:

sudo net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users

Using the winbind 'rid' idmap backend on another:

sudo net groupmap list
Guests (S-1-5-32-546) -> BUILTIN\guests
Administrators (S-1-5-32-544) -> BUILTIN\administrators
Users (S-1-5-32-545) -> BUILTIN\users

I do not get numbers at all.

Some form of cache problem ?

Rowland

More information about the samba mailing list