Hello fellow Samba Users and Developers ...
Recently I have been struggling to clearly understand the current
documentation for IDMAP. There seems to be the old way of doing things
and the new way of doing things...and the documentation is not very
clear as to which way is appropriate for which release of Samba. At
least not clear to those of use who don't read source code ;-)
I am attempting to setup a memeber server, ie. join my samba system to
and Active Directory domain. I am using the latest Samba 3.4.0 and have
read what documentation I could find. Having browsed through the posts
to this list as well I thought it was time to ask a few questions, and
would really appreciate if someone could either point me to a post which
has already discussed this topic or answer my question directly.
Let me summarize my environment and what I'm trying to accomplish:
I work for a networking company and we have a pretty good size AD
infrastructure with around 8000 users and who knows how many groups. I
am attempting to setup a member server for my domain as mentioned and
I'd like to keep ID mapping consistent on my system ( CentOS 5.3 64bit )
with the rest of the Company. I'm not sure how my IT department
maintains the mapping of SID to UID however I do know that they do have
UID data setup in Active Directory. I am not able to use the idmap_ad
backend as the structure I saw in AD didn't look like we are using SFU.
This being the case I decided to use idmap_ldap as my idmap backend. My
idea is that I will create some initial mappings and then write a script
to sync the IDs allocated by Samba with the IDs that are actually in
AD. Seems a little funky but the best thing I could think of.
Here is my current config:
#======================= Global Settings
====================================[global]
workgroup = JNPR
server string = FT-NM Team File Server
security = ads
load printers = no
log file = /var/log/samba/machines/%m.log
max log size = 50
encrypt passwords = yes
realm = jnpr.net
passdb backend = tdbsam
interfaces = 10.85.34.254/24
wins support = no
wins server = 172.24.36.10
dns proxy = no
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
socket options = TCP_NODELAY
syslog = 1
# Winbindd, idmap and ldap settings
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 6000
winbind separator = :
allow trusted domains = no
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/zsh
ldap connection timeout = 2
ldap debug level = 0
ldap debug threshold = 10
ldap delete dn = no
idmap uid = 1000-200000
idmap gid = 1000-200000
idmap backend = ldap
idmap config JNPR: default = yes
idmap config JNPR: backend = ldap
idmap config JNPR: ldap_url = ldap://localhost
idmap config JNPR: ldap_user_dn =
cn=smbd,ou=samba,dc=jtac-west,dc=jnpr,dc=net
idmap config JNPR: ldap_base_dn =
ou=maps,ou=samba,dc=jtac-west,dc=jnpr,dc=net
idmap alloc backend = ldap
idmap alloc config: ldap_url = ldap://localhost
idmap alloc config: ldap_anon = no
idmap alloc config: ldap_user_dn =
cn=smbd,ou=samba,dc=jtac-west,dc=jnpr,dc=net
idmap alloc config: ldap_base_dn =
ou=maps,ou=samba,dc=jtac-west,dc=jnpr,dc=net
idmap alloc config: range = 100000-200000
I've been able to get Winbind working and wbinfo is reporting what its
supposed to be. However I don't think I've understood how to properly
configure the new idmap subsystem. I am seeing this in the
winbindd-idmap log:
[2009/07/09 12:55:55, 0] winbindd/idmap.c:201(smb_register_idmap_alloc)
idmap_alloc module tdb already registered!
[2009/07/09 12:55:55, 0] winbindd/idmap.c:149(smb_register_idmap)
Idmap module passdb already registered!
[2009/07/09 12:55:55, 0] winbindd/idmap.c:149(smb_register_idmap)
Idmap module nss already registered!
[2009/07/09 12:55:55, 1] winbindd/idmap_ldap.c:847(idmap_ldap_db_init)
ERROR: missing idmap ldap url
[2009/07/09 12:55:55, 1] winbindd/idmap.c:321(idmap_init_domain)
idmap initialization returned NT_STATUS_UNSUCCESSFUL
You may wonder why I don't just use the old style of config as I only
have one domain. I've decided to do this so that if I need to support a
trusted domain I can without a substantial reconfiguration.
Any ideas and comments to help steer me down the right path are greatly
appreciated.
Best Regards,
Theo
