You will need to configure the new backend on both the server and the workstation. First, stop the Samba and Winbind services.
sudo /etc/init.d/samba stop sudo /etc/init.d/winbind stopOpen /etc/samba/smb.conf and make the following changes:
realm = REALMNAME workgroup = DOMAINNAME security = ads idmap uid = 10000-20000 idmap gid = 10000-20000 idmap backend = rid:DOMAINNAME=10000-20000 allow trusted domains = no template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = yesAll Windows accounts have a unique security identifier (SID). The last four digits of this identifier are unique within any given domain and are called the relative identifier (RID). The RID module maps IDs by adding the RID to the minimum value in the idmap range (in our case 10000). Since these RIDs are only unique within their own domain, we must disallow trusted domains as shown above.[1]
Note that if you are using Samba 3.0.14a, you should replace rid on the idmap backend line with idmap_rid to reflect the name of the module, which changed between versions 3.0.14a and 3.0.22.
Restart the Samba and Winbind services.
sudo /etc/init.d/samba start sudo /etc/init.d/winbind start
Confirm that your IDs have changed with getent passwd and getent group. All workstations configured with this backend will have identical mappings. Once you have configured the server and the workstation, the mappings on them should be the same.
| [1] | If your enterprise network relies on trusted domains, you will need to replace the Winbind backend described in this article with an LDAP backend. See this section from the Samba-3 Howto for how to configure Winbind to use this backend. |