On Mon, Apr 28, 2025 at 9:20 AM Ralf Boehm via sssd-users sssd-users@lists.fedorahosted.org wrote:
We want to switch from winbind to sssd. We have been using winbind for many years and have a configuration that does not seem to be compatible with sssd, at least I have not been able to find one.
We use several Windows Active Directory servers. When we started using winbind, there were relatively few Linux hosts. Most of our clients and servers had a Windows operating system.
We decided to go with rid backends at that time. It works very well. Here are the settings from /etc/samba/smb.conf:
# UID & GID Mapping with RID idmap config DOMAIN1:backend = rid idmap config DOMAIN1:range = 100000-349999 idmap config DOMAIN:base_rid = 0 idmap config DOMAIN2:backend = rid idmap config DOMAIN2:range = 350000-599999 idmap config DOMAIN2:base_rid = 0 idmap config *:backend = tdb idmap config *:range = 600000-849999
If were in your position, I would try testing something like this:
[domain/example1.com] ldap_id_mapping = True ldap_idmap_range_min = 100000 ldap_idmap_range_max = 349999 ldap_idmap_range_size = 250000
[domain/example2.com] ldap_id_mapping = True ldap_idmap_range_min = 350000 ldap_idmap_range_max = 599999 ldap_idmap_range_size = 250000
In essence, for each domain, this provides an ID map range that consists of a single slice of 250000 ids, exactly matching the slice size and range that the SMB idmap backend uses. Since there is only one slice (slice 0), no matter what the domain SID is, it will always hash to slice 0 (because there are no other slices).
There might be some reason why this approach won't work that isn't occurring to me, but before I gave up and abandoned ID mapping (in favor of having my Windows admins just add uidNumber and/or gidNumber attributes to everything), I would at least give it a try.