LinuxCommandLibrary

idmapwb

Map Windows users/groups to Linux IDs

SYNOPSIS

Configured in smb.conf(5):
idmap config DOMAIN : backend = wb [options]

PARAMETERS

rangesize = INTEGER
    Size of automatic ID range for the domain (default: 100000)

range = LOW-HIGH
    Fixed UNIX ID range for the domain (e.g., 10000-999999)

readonly = BOOLEAN
    Prevent writing new mappings to database (default: no)

DESCRIPTION

The idmap_wb module provides ID mapping functionality for Samba's Winbind daemon using its internal TDB database.

Winbind translates Windows NT security identifiers (SIDs) to UNIX user IDs (UIDs) and group IDs (GIDs). The idmap_wb backend stores these mappings in the winbindd_privileged/idmap2.tdb file, enabling efficient SID-to-ID resolution for Active Directory or NT4 domains.

It is activated via smb.conf(5) configuration with idmap config DOMAIN : backend = wb. This backend supports dynamic allocation of IDs within specified ranges and is suitable for multi-domain environments where Winbind manages authentication.

Unlike key-based backends like idmap_ad, idmap_wb uses a simple SID-to-ID table, making it lightweight but less scalable for very large deployments. It integrates seamlessly with Winbind's online and offline modes, ensuring mappings persist across restarts. Use wbinfo --sid-to-uid or wbinfo --uid-to-sid to query mappings.

Primarily for trusted domains in AD setups, it defaults to auto-allocating ranges unless specified. Read-only mode prevents updates to the database.

CAVEATS

Not a standalone executable; requires running winbindd(8). Limited to Winbind-managed domains. Database corruption possible in high-load scenarios without proper backups.

EXAMPLE CONFIGURATION

smb.conf:
[global]
  idmap config * : backend = tdb
  idmap config * : range = 3000-7999
  idmap config SAMDOM : backend = wb
  idmap config SAMDOM : range = 10000-999999

QUERY MAPPINGS

Use wbinfo --all-domains to list domains.
wbinfo --sid-to-uid S-1-5-21-... to resolve SIDs.

HISTORY

Introduced in Samba 3.3.15 as experimental; became stable in 3.4. Default backend for unspecified domains in Samba 4.0+. Enhanced in 4.5+ for better AD compatibility.

SEE ALSO

wbinfo(1), winbindd(8), smb.conf(5), idmap_tdb(8), idmap_ad(8)

Copied to clipboard