Samba Member Server idmap backend
Important:These id-mappings are for **member servers** only (not DCs)
Do not use any of these idmap backends on a Domain Controller. Domain Controllers use their own `idmap.ldb` for ID mapping, which is only valid and used on a DC.
Why an idmap backend is needed
Active Directory stores various data for each object: usernames, names, passwords, and a unique Windows RID (Relative Identifier). See this link for an explanation of SIDs and RIDs.
A Samba DC manages all these mappings transparently.
However, UNIX systems like file or print servers don’t understand SIDs or RIDs — they only deal with UIDs and GIDs. Samba's `winbind` service bridges this gap by mapping Windows AD identities to UNIX identities, enabling your server to function as a true AD member.
ID mapping is essential in mixed environments where Linux and Windows systems need to share resources. There are several backends available. For an in-depth explanation, see: Choosing an idmap backend on the Samba Wiki
Here, we focus on the two most relevant options: - `rid` — recommended in most cases - `ad` — required only if you need per-user login shells and home paths
Choosing the Right idmap Backend
Let's assume your member server is intended for file or print sharing.
AD users can also log in to member servers (e.g., via SSH), and this affects your choice.
+---------------------------------------------+
| Do you want your users to be able to |
| log in to your member server (e.g. ssh)? |
+---------------------------------------------+
| |
No| |Yes
v v
+-------------------------------+ +----------------------------------+
| Use RID (default login shell | | Do you need your users to have |
| is /bin/false so no login) | | different login shells and home |
+-------------------------------+ | directories on the member server?|
+----------------------------------+
| |
No| |Yes
v v
+--------------------------------+ +---------------------------+
| Use RID and specify login | | Use AD and specify login |
| shell and Unix home directory | | shell and Unix home |
| path in smb.conf | | directory in AD RFC2307 |
+--------------------------------+ | attributes per user |
+---------------------------+
The `rid` idmap backend
The `rid` backend calculates UIDs and GIDs based on the user's Windows RID and a defined range in `smb.conf`. It is simple and predictable.
Using `rid`:
- You can optionally set `template shell` and `template homedir` in `smb.conf`.
- If not set, default values `/bin/false` and `/home/%D/%U` will be used.
- All member servers with the same domain and ID range will resolve the same AD users/groups to the same UIDs/GIDs — important for consistency and disaster recovery.
Recommended for most file/print servers that don't require Unix logins.
Use this configuration in `/etc/samba/smb.conf`:
# Default ID mapping configuration for local BUILTIN accounts idmap config * : backend = tdb idmap config * : range = 3000-7999 # idmap config for the MAD domain using the rid backend idmap config MAD : backend = rid idmap config MAD : range = 10000-999999
For most setups in this Samba Notebook, `rid` is the preferred choice.
The `ad` idmap backend
Use the `ad` backend only if:
- Users must log in to the server (e.g., via SSH)
- And each user must have a different login shell and/or home directory
- And those attributes are stored in AD using RFC2307
This backend is more complex:
- All AD users must have `uidNumber`; all groups must have `gidNumber`
- The group Domain Users must have a gidNumber, or users won’t appear on the Unix server
- You must assign RFC2307 attributes manually — either at user creation time or via ADUC
- You are responsible for avoiding UID/GID collisions
- Like `rid`, this backend allows consistent UID/GID mapping across multiple servers
If RFC2307 attributes are missing, AD users will not be recognized by the member server.
RFC2307 schema attributes include:
- `uidNumber`: the user’s UNIX UID
- `gidNumber`: the user’s primary GID
- `unixHomeDirectory`: the user’s home directory path
- `loginShell`: the user’s default shell
Optional: Mapping `Administrator` to `root` (not recommended)
Use another admin user in “Domain Admins” for administrative tasks. Avoid using the `Administrator` AD account directly.
If you really must map `Administrator` to `root`, configure:
In `/etc/samba/smb.conf`:
username map = /etc/samba/user.map min domain uid = 0
In `/etc/samba/user.map`:
!root = MAD\Administrator
When working directly on the server (in Linux), always use `root`, not `Administrator`.
Use this configuration for the `ad` backend in your member server's `smb.conf`:
# Default ID mapping configuration for local BUILTIN accounts idmap config * : backend = tdb idmap config * : range = 3000-7999 # idmap config for the MAD domain using the ad backend idmap config MAD : backend = ad idmap config MAD : range = 10000-999999 idmap config MAD : schema_mode = rfc2307 idmap config MAD : unix_nss_info = yes # If using 'Administrator' mapping #username map = /etc/samba/user.map #min domain uid = 0
I say again: unless you need users to log in to the Member Server and have per-user shells and home directories, use the simpler `rid` backend.
See also: Additional idmapping notes
Caponato's Samba notebook. Start here or else Main menu