samba:idmap-backends

Samba Member Server idmap backend

Important:These id-mappings are for member servers only (not DCs)

Do not use any of these idmap backends on a Domain Controller. Domain Controllers use their own `idmap.ldb` for ID mapping, which is only valid and used on a DC.

Why an idmap backend is needed

Active Directory stores various data for each object: usernames, names, passwords, and a unique Windows RID (Relative Identifier). See this link for an explanation of SIDs and RIDs.

A Samba DC manages all these mappings transparently.

However, UNIX systems like file or print servers don’t understand SIDs or RIDs — they only deal with UIDs and GIDs. Samba's `winbind` service bridges this gap by mapping Windows AD identities to UNIX identities, enabling your server to function as a true AD member.

ID mapping is essential in mixed environments where Linux and Windows systems need to share resources. There are several backends available. For an in-depth explanation, see: Choosing an idmap backend on the Samba Wiki

Here, we focus on the two most relevant options: - `rid` — recommended in most cases - `ad` — required only if you need per-user login shells and home paths

Choosing the Right idmap Backend

Let's assume your member server is intended for file or print sharing.

AD users can also log in to member servers (e.g., via SSH), and this affects your choice.

      +---------------------------------------------+
      |   Do you want your users to be able to      |
      |   log in to your member server (e.g. ssh)?  |
      +---------------------------------------------+
                   |                           |
                 No|                           |Yes
                   v                           v
  +-------------------------------+          +----------------------------------+
  | Use RID (default login shell  |          | Do you need your users to have   |
  | is /bin/false so no login)    |          | different login shells and home  |
  +-------------------------------+          | directories on the member server?|
                                             +----------------------------------+
                                                   |                  |
                                                 No|                  |Yes
                                                   v                  v
                         +--------------------------------+       +---------------------------+
                         | Use RID and specify login      |       | Use AD and specify login  |
                         | shell and Unix home directory  |       | shell and Unix home       |
                         | path in smb.conf               |       | directory in AD RFC2307   |
                         +--------------------------------+       | attributes per user       |
                                                                  +---------------------------+

The `rid` idmap backend

The `rid` backend calculates UIDs and GIDs based on the user's Windows RID and a defined range in `smb.conf`. It is simple and predictable.

Using `rid`:

You can optionally set `template shell` and `template homedir` in `smb.conf`.
If not set, default values `/bin/false` and `/home/%D/%U` will be used.
All member servers with the same domain and ID range will resolve the same AD users/groups to the same UIDs/GIDs — important for consistency and disaster recovery.

Recommended for most file/print servers that don't require Unix logins.

Use this configuration in `/etc/samba/smb.conf`:

# Default ID mapping configuration for local BUILTIN accounts
idmap config * : backend = tdb
idmap config * : range = 3000-7999
 
# idmap config for the MAD domain using the rid backend
idmap config MAD : backend = rid
idmap config MAD : range = 10000-999999

For most setups in this Samba Notebook, `rid` is the preferred choice.

The `ad` idmap backend

Use the `ad` backend only if:

Users must log in to the server (e.g., via SSH)
And each user must have a different login shell and/or home directory
And those attributes are stored in AD using RFC2307

This backend is more complex:

All AD users must have `uidNumber`; all groups must have `gidNumber`
The group Domain Users must have a gidNumber, or users won’t appear on the Unix server
You must assign RFC2307 attributes manually — either at user creation time or via ADUC
You are responsible for avoiding UID/GID collisions
Like `rid`, this backend allows consistent UID/GID mapping across multiple servers

If RFC2307 attributes are missing, AD users will not be recognized by the member server.

RFC2307 schema attributes include:

`uidNumber`: the user’s UNIX UID
`gidNumber`: the user’s primary GID
`unixHomeDirectory`: the user’s home directory path
`loginShell`: the user’s default shell

Optional: Mapping `Administrator` to `root` (not recommended)

Use another admin user in “Domain Admins” for administrative tasks. Avoid using the `Administrator` AD account directly.

If you really must map `Administrator` to `root`, configure:

In `/etc/samba/smb.conf`:

username map = /etc/samba/user.map
min domain uid = 0

In `/etc/samba/user.map`:

!root = MAD\Administrator

When working directly on the server (in Linux), always use `root`, not `Administrator`.

Use this configuration for the `ad` backend in your member server's `smb.conf`:

# Default ID mapping configuration for local BUILTIN accounts
idmap config * : backend = tdb
idmap config * : range = 3000-7999
 
# idmap config for the MAD domain using the ad backend
idmap config MAD : backend = ad
idmap config MAD : range = 10000-999999
idmap config MAD : schema_mode = rfc2307
idmap config MAD : unix_nss_info = yes
 
# If using 'Administrator' mapping
#username map = /etc/samba/user.map
#min domain uid = 0

I say again: unless you need users to log in to the Member Server and have per-user shells and home directories, use the simpler `rid` backend.