Samba 3.6 idmap

I have a couple of file servers in my network running Samba 3.6 as member servers. Something that you would want to get going at some point is syncing the UID/GID across the machines so that if you want to move the data around the uids/gids are the same. The way to make this work is with the idmap configurations. I hadn’t done this and in my stupidity had created a second file server that couldn’t move files to and from the first. IDIOT!

In Samba 3.6 idmap was completely re-written as it was a bit broken before then and its actually quite simple to have your machines all talking the same uid/gid. This is to use the idmap_rid system. From the samba docs.

The idmap_rid facility is a new tool that, unlike native winbind, creates a predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs

If you have already setup your file server without using idmap_rid you can change how it works by adding the following lines to your global section of your samba conf file. Replacing the lines and or removing lines as required.


workgroup = MYDOMAIN
password server = pdc.mydomain.com
encrypt passwords = Yes
realm = MYDOMAIN.COM
security = ads
allow trusted domains = false
idmap config * : backend = tdb
idmap config * : range = 10001-20000
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 5000-10000
idmap config MYDOMAIN : base_rid = 0

I’m not sure if this step is needed but I removed the member server from the domain. Then I restarted samba and winbind, rejoined the member server and I was still getting the old Ids. I realised that winbind was caching the old Id’s and no matter what I did I couldn’t work out how to update them. After searching around for quite a while I found this blog post from Alex Cline. The commands are very straight forward.

 net cache flush 

It’s really that simple. I found posts all over the place talking about killing the samba data directory in /var/lib/samba and that all sounded a little crazy. I’m glad its as simple as that. To test that this worked, just run the following command to see the new id from winbind.

 id -u username 

This should output your new rid generated id.

Rinse and repeat for any other servers you might have.

Share :

Related Posts

Join me as I unveil my ultimate developer workspace for 2024. Discover how I've transformed a basic setup into a cosy, productivity-boosting environment from tech to ergonomics.

I have been struggling for a couple of days working with Google Cloud Scheduler and Cloud functions for a project I’m working on. I’ve been working with functions for a while now. It’s a good idea to secure all your functions so that only other cloud services can access them. This can be done using […]