Suppose if I define "idmap uid = 1500 - 10000" in my smb.conf and the rid of the AD user is 1546, then the uid of that user would be 1500 + 1546 which is 3046. If there are multiple domains which are trusted, then the smb.conf wouldn't work. I would create a separate post for that.
Sid for user "u1" would look like as below.
# wbinfo -n u1
S-1-5-21-2913803998-3319354983-1616611311-1106 User (1)
Here the rid of the u1 is 1106.
In this configuration we assume that our AD domain is test.example.com
workgroup = WORKGROUP
netbios name = netbiosname
realm = REALM
server string = RHEL4 Test Server
security = ads
password server =
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
idmap backend = idmap_rid:EXAMPLE=1500-100000
idmap uid = 1500-100000
idmap gid = 1500-100000
allow trusted domains = no
winbind separator = +
winbind use default domain = yes
cups options = raw
winbind nss info = rfc2307 sfu template
comment = Home Directories
read only = No
browseable = No
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
Configure /etc/krb5.conf appropriately, if using kerberos for authentication.
Join the system to Active Directory Domain.
# net ads join -U administrator
Run authconfig and chose winbind for name service and kerberos for authentication. Don't join the system to domain in this attempt since we have already joined it.
Restart winbind. Now every ad user should be able to log in to linux system.