[Samba] Change (fix) idmap config

Rowland Penny rpenny at samba.org
Fri Oct 14 15:00:31 UTC 2022

On 14/10/2022 15:45, Lorenzo Milesi via samba wrote:
> Hi.
> We made a mistake in configuring two file servers, by putting the realm instead of the workgroup in idmap config (below). For this reason, now we get different ids when running `getent passwd` on the two servers...
> What's the best way to recover, considering we have users connecting via shares and ssh? Unjoin the server, adjust config, join again, chown?
> thanks
>     workgroup = LIGHT
>     realm = WDC.DOMAIN.IT
>     security = ads
>     idmap config * : range = 16777216-33554431
>     winbind separator = +
>     template homedir = /home/%U
>     template shell = /bin/bash
>     kerberos method = secrets only
>     winbind use default domain = true
>     winbind offline logon = false
> #--authconfig--end-line--
>    idmap config *:backend = tdb
>    idmap config *:range = 700001-800000
>    idmap config WDC.DOMAIN.IT:backend  = rid
>    idmap config WDC.DOMAIN.IT:range  = 10000-700000

I take it that all your users now have ID's in the 700001-800000 range. 
You can just change the last two lines to use the NetBIOS domain name 
(aka workgroup) and restart Samba, but this is going to change all your 
user & group ID's on that Unix domain member.

I would also remove the first 'idmap config *' line, luckily it will 
have been overridden by the second one.

Your other method will be to create a new Unix domain member with a 
correct smb.conf and then get your users to copy the files etc across 
via Samba.

If you are going to use authconfig on red-hat, I would suggest you run 
it first (before starting Samba), then fix its many mistakes.


More information about the samba mailing list