The idmap config prefix provides a means of managing each domain defined by the option using Samba's parameteric option support. The idmap config prefix should be followed by the name of the domain, a colon, and a setting specific to the chosen backend. There are three options available for all domains: backend = backend_name Specifies the name of the idmap plugin to use as the SID/uid/gid backend for this domain. default = [yes|no] The default domain/backend will be used for searching for users and groups not belonging to one of the explicitly listed domains (matched by comparing the account SID and the domain SID). readonly = [yes|no] Mark the domain as readonly which means that no attempts to allocate a uid or gid (by the ) for any user or group in that domain will be attempted. The following example illustrates how to configure the idmap_ad8 for the CORP domain and the idmap_tdb 8 backend for all other domains. The TRUSTEDDOMAINS string is simply a key used to reference the "idmap config" settings and does not represent the actual name of a domain. idmap domains = CORP TRUSTEDDOMAINS idmap config CORP:backend = ad idmap config CORP:readonly = yes idmap config TRUSTEDDOMAINS:backend = tdb idmap config TRUSTEDDOMAINS:default = yes idmap config TRUSTEDDOMAINS:range = 1000 - 9999