[Samba] both Samba-4.9.5 AD DC upgrade to Samba current (4.22.*) - questions

Rowland Penny rpenny at samba.org
Mon Jun 30 10:46:21 UTC 2025 

On Mon, 30 Jun 2025 12:17:10 +0200
Franta Hanzlík via samba <samba at lists.samba.org> wrote:

> On Mon, 30 Jun 2025 07:15:29 +0100
> Luis Peromarta via samba <samba at lists.samba.org> wrote:
> 
> > Rfc2307 is not needed in DCs even if you use it for AD idmapping in
> > your member server.
> > 
> > See linked page for explanations and what it implies for a DC.
> 
> Luis thank you for the clarification. I still have some ambiguities, 
> but from what you write and the links you sent, it seems that:
> 
> - the important thing is not to do DC provisioning with a
> "--use-rfc2307" option (and thus not to have "idmap config
> DOMAIN:backend = ad" in smb.conf).
> 
> - even so, the AD DB will contain an user entry uidNumber,
> homeDirectory, loginShell and group entry gidNumber - which I can
> (but don't have to) fill in manually. (and Samba DC itself perhaps
> not fill them)
> 
> - on Linux fileserver which is AD member I can use "ad" idmap - but
> in this case must be manually filled at least uidNumber and gidNumber
> (for homedir and shell can be templates used), as idmap_ad man page
> say:
> 
> "Mappings must be provided in advance by the administrator by adding
> the uidNumber attributes for users and gidNumber attributes for
> groups in the AD. Winbind will only map users that have a uidNumber
> and whose primary group have a gidNumber attribute set. It is however
> recommended that all groups in use have gidNumber attributes
> assigned, otherwise they are not working."
> 
> - or I can use rid mapping on Linux server members, which did
> algorithmic mapping for getting Unix UID and GID.
> 
> 
> From all this, it seems to me that using rid idmap is an easier and 
> error-free choice of ID mapping. Can you agree with that?
> 

I thought I already said that, the 'rid' idmap backends works by using
this equation:

ID = RID - BASE_RID + LOW_RANGE_ID

Where:
'RID' is the accounts RID in AD (totally unique in a domain) e.g. 1104
'BASE_RID' is no longer used and defaults to 0
'LOW_RANGE_ID' is what you have set in the 'idmap config DOMAIN' line
in the smb.conf e.g. if you have 'idmap config SAMDOM : range =
10000-999999' set in your smb.conf , then 'LOW_RANGE_ID' would be
'10000' for the 'SAMDOM' domain.

This leads to:

ID = 1104 -0 + 10000

Which becomes:
ID = 11104

There are also two template lines, 'template homedir' & 'template
shell' in smb.conf, they default to '/home/%D/%U' & '/bin/false'
respectively, while you can set them to what ever you require, they do
affect all users that connect to that computer.

Rowland

More information about the samba mailing list