Hello,

I'm trying to get up and running a samba server as PDC but when I testparm my somb.conf it ends up with an error message saying ERROR: Invalid idmap range for domain *!

Here is the result of testparm :

---------------------------------------------------------------------
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_PDC

Press enter to see a dump of your service definitions
---------------------------------------------------------------------

An hereafter is the dump of smb.conf services definition :

---------------------------------------------------------------------
# Global parameters
[global]
add machine script = /usr/sbin/useradd -d /dev/null -g 200 -s /sbin/nologin -M %u
domain logons = Yes
domain master = Yes
logon path = \\%L\Profiles\%U
logon script = logon.bat
preferred master = Yes
security = USER
server string = MyServerString (Samba %v)
workgroup = MyWorkgroup
idmap config * : backend = tdb


[homes]
comment = Home Directories
read only = No


[netlogon]
browseable = No
comment = Network Logon Service
path = /var/lib/samba/netlogon
read only = No


[Profiles]
create mask = 0755
path = /var/lib/samba/profiles
read only = No
---------------------------------------------------------------------

Has anyone experienced this ? Thank you for reading this post anyway !

Cheers

You don't have an "idmap config * : range =" setting in your configuration file, and that's why you're getting the error message.

1 members found this post helpful.

Hello Ser Olmy,

Thank you for this answer. Would you please explain what I should do with with this statement idmap config* :range =

What should the range be ? What for ? I have read on Samba Wiki that ID mapping is for reading account and group information from Active Directory, but I'm realy unexperienced with this.

Cheers

idmap config settings control how Security Identifiers (SIDs) identifying Windows accounts (users, groups, and computers) are mapped to UIDs and GIDs on various Unix-like platforms. I'd direct you to the "Identity Mapping" chapter of the official Samba documentation, but it's horribly outdated and quite confusing.

The specific setting idmap config * : range = <low> - <high> specifies how users that are not specific to a Windows domain are mapped; the "*" means "all accounts not covered by other idmap config statements."

Turns out having this in smb.conf is very important, as all the Windows "builtin" accounts and groups use this setting. I believe it is also used for some objects that cannot be statically mapped to regular UIDs (like some special-purpose Windows groups that act as user accounts in some contexts).

The <low> and <high> numbers simply refer to a range of otherwise unused UIDs/GIDs on the Linux server running Samba. It's important that none of these IDs be assigned to a local account or group, ever.

1 members found this post helpful.

Thank you Ser Olmy,

So I have set idmap config * : range = 3000-7999
I have checked beforehand that no user ID is in this range. And my testparm ends with no error.
So I'll mark this as solved.

But, still, I need to open another question since now my concern is have a windows 8.1 workstation join my domain, and at this time, it is still not able to do so.

Cheers