Samba 3.6 idmap

I have a couple of file servers in my network running Samba 3.6 as member servers. Something that you would want to get going at some point is syncing the UID/GID across the machines so that if you want to move the data around the uids/gids are the same. The way to make this work is with the idmap configurations. I hadn’t done this and in my stupidity had created a second file server that couldn’t move files to and from the first. IDIOT!

In Samba 3.6  idmap was completely re-written as it was a bit broken before then and its actually quite simple to have your machines all talking the same uid/gid. This is to use the idmap_rid system. From the samba docs.

The idmap_rid facility is a new tool that, unlike native winbind, creates a predictable mapping of MS Windows SIDs to UNIX UIDs and GIDs

If you have already setup your file server without using idmap_rid you can change how it works by adding the following lines to your global section of your samba conf file. Replacing the lines and or removing lines as required.


workgroup = MYDOMAIN
password server = pdc.mydomain.com
encrypt passwords = Yes
realm = MYDOMAIN.COM
security = ads
allow trusted domains = false
idmap config * : backend = tdb
idmap config * : range = 10001-20000
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 5000-10000
idmap config MYDOMAIN : base_rid = 0

I’m not sure if this step is needed but I removed the member server from the domain. Then I restarted samba and winbind, rejoined the member server and I was still getting the old Ids. I realised that winbind was caching the old Id’s and no matter what I did I couldn’t work out how to update them. After searching around for quite a while I found this blog post from Alex Cline. The commands are very straight forward.

 net cache flush 

It’s really that simple. I found posts all over the place talking about killing the samba data directory in /var/lib/samba and that all sounded a little crazy. I’m glad its as simple as that. To test that this worked, just run the following command to see the new id from winbind.

 id -u username 

This should output your new rid generated id.

Rinse and repeat for any other servers you might have.

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on pinterest
Share on facebook