The idmap config prefix provides a means of managing each trusted domain separately. The idmap config prefix should be followed by the name of the domain, a colon, and a setting specific to the chosen backend. There are three options available for all domains: backend = backend_name Specifies the name of the idmap plugin to use as the SID/uid/gid backend for this domain. range = low - high Defines the available matching uid and gid range for which the backend is authoritative. Note that the range commonly matches the allocation range due to the fact that the same backend will store and retrieve SID/uid/gid mapping entries. winbind uses this parameter to find the backend that is authoritative for a unix ID to SID mapping, so it must be set for each individually configured domain, and it must be disjoint from the ranges set via and . The following example illustrates how to configure the idmap_ad 8 for the CORP domain and the idmap_tdb 8 backend for all other domains. This configuration assumes that the admin of CORP assigns unix ids below 1000000 via the SFU extensions, and winbind is supposed to use the next million entries for its own mappings from trusted domains and for local groups for example. idmap backend = tdb idmap uid = 1000000-1999999 idmap gid = 1000000-1999999 idmap config CORP : backend = ad idmap config CORP : range = 1000-999999