The Samba-Bugzilla – Bug 8079
idmap_rid: confusion in uid/gid<->RID mapping
Last modified: 2018-03-27 20:03:47 UTC
Hi, base_rid in idmap_rid now is deprecated but if yu put base_rid in smb.conf and flush the cache (net cache flush) getent group doesn't show users and groups domain any more (but wbinfo works).
Furthermore how idmap_rid calculate now the uid/gid from RID? The equation ID = RID - BASE_RID + LOW_RANGE_ID works but sometimes BASE_RID is 0 and sometimes BASE_RID is 1000 even if you don't change smb.conf. This can cause a lot of problems if you use acl or if you use winbind authentication.
This is the idmap_rid settings of my smb.conf:
workgroup = DOMINIOCSA
security = DOMAIN
idmap uid = 10000-25000
idmap gid = 10000-25000
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind offline logon = Yes
idmap config DOMINIOCSA : range = 10000-25000
idmap config DOMINIOCSA : backend = rid
Have a great day
I've understood something more. If you try to add base_rid to smb.conf (I've ever used base_rid=1000) wbinfo works but getent doesn't ; but the cache will be filled with the idmap having the base_rid you specified in the smb.conf. Now to have winbind working you have to remove base_rid from smb.conf and when you restart winbind, winbind has old and incongruent idmap values in the cache. When the value in cache expires the mapping change even if you have not changed smb.conf.
I hope this help you to understand better my bug report
Have a great day
your issues came from an invalid idmap config I think id ranges may not overlap. With a correct idmap config no such errors should pop up, the wiki should have some good examples, the mailing list can offer help also.