[Samba] Migrate and Update (Samba 4.1 ADDC to Samba Latest Version on different Server).

Rowland Penny rpenny at samba.org
Thu Nov 24 16:57:50 UTC 2022

On 24/11/2022 15:54, Juan Ignacio wrote:
> Are you sure that there aren't any other 'idmap config' lines ?
> I would have expected lines for your DOMAIN
> All the lines on the member file server are these.
> vfs objects = acl_xattr map acl inherit = yes store dos attributes =
> yes
> #WINBIND winbind enum users = yes winbind enum groups = yes winbind
> refresh tickets = yes winbind use default domain = yes winbind cache
> time = 60
> # Default ID mapping configuration for local BUILTIN accounts # and
> groups on a domain member. The default (*) domain: # - must not
> overlap with any domain ID mapping configuration! # - must use a
> read-write-enabled back end, such as tdb. # - Adding just this is not
> enough # - You must set a DOMAIN backend configuration, see below 
> idmap config * : backend = tdb idmap config * : range = 3000-7999
> username map = /usr/local/samba/etc/user.map
> The whole idea behind syncing idmap.ldb between DC's is to ensure
> that they all use the ID's.
> Yea but i have some differences between the ad-dc and member dc,

What is a 'member dc' ??

In Samba AD, you have DC's (which are all equal except for the FSMO
roles, this include RODC's) and Unix & Windows domain members.

The domain members get their ID's from the DC's, Windows uses the RID
and Unix uses whatever winbind idmap backend that is chosen.

If your 'member dc' is just another DC, then that smb.conf is not valid
because you do not use the 'idmap config' lines in a DC smb.conf

If your 'member dc' is actually a Unix domain member, then that smb.conf
is not valid because there are no 'DOMAIN' 'idmap config' lines.


More information about the samba mailing list