idmap_rid can't be used for the local sam, e.g. net sam createlocalgroup will fail, because idmap_rid can't allocate a gid because it's not able to allocate a ri. Is this a limitation that is not intended and should it be fixed? If not: then the man page should reflect the limitation and a debug level 0 log message should also say that idmap_rid can't handle that thing that is expected to be done. Maybe it would even be better if winbind would refuse to start if a domain is being handled by idmap_rid that is not supported by it.
In order to create group mappings (or use ldasam:editposix), with the new(er) code, you have to have winbindd running and the default idmap configuration (idmap backend = ...) configured with a backend that can create unix ids, i.e. tdb, tdb2, or ldap. The background is that the id-pool (allocator) of the default id mapping configuration is also used as an overall samba idmap pool for all of samba, e.g. in group mapping and ldapsam:editposix. i.e. you need to set something like this: ~~~~~~~~~~~~~~~~~~ idmap backend = tdb idmap uid = 10000-20000 idmap gid = 10000-20000 idmap config SOMEDOMAIN : backend = rid idmap config SOMEDOMAIN : range = 40000-50000 ~~~~~~~~~~~~~~~~~~~~~~ The old multidomain "idmap backend = rid..." config is hence not supported any more. I will check for the documentation and clarify this and make it more explicit if required. Cheers - MIchael
Created attachment 6122 [details] manpage update for idmap_rid I pushed this update to the idmap_rid manpage to master and v3-6-test. Should we add this to 3.5.7, too?
Comment on attachment 6122 [details] manpage update for idmap_rid yes, should go to 3.5 also to document that for our users :-)
Pushed to v3-5-test. Closing out bug report. Thanks!