I am running Samba ver 3.0.33 on Solaris 10 (sparc) as a PDC with LDAP for the backend for both samba and unix accounts. I have also set up a trust with an Windows domain- lets call it WINDOMAIN- (the PDC for the Windows domain is Win 2003 but is in mixed mode for backwards compat.) The SAMBA domain trusts the WINDOWS domain, not not vice versa. I had also tried setting up trusts with another, test domain (lets call it TESTDOMAIN.) I have winbind enabled. Initially idmap entries were stored in the local tdb backend. I switched this to ldap (wanted idmappings with in the domain to be consistent across member servers, and wanted to add a BDC.) smb.conf includes ---------------------------------------------------------------------------------------------- passdb backend = ldapsam:ldap://ldap1.mydomain.com ldap suffix=o=mydomain.com ldap user suffix=ou=people ldap group suffix=ou=smb_groups ldap machine suffix=ou=machines ldap admin dn="cn=Directory Manager" ldap ssl = no ldap passwd sync = no ldap idmap suffix=ou=idmap winbind enum users = Yes winbind enum groups = no winbind use default domain = no winbind trusted domains only = no #ldap time out default is 15 sec ldap timeout=30 # idmap domains = WINDOMAIN, TESTDOMAIN idmap domains = WINDOMAIN idmap config WINDOMAIN:backend = ldap idmap config WINDOMAIN:readonly = no idmap config WINDOMAIN:default=no idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com idmap config WINDOMAIN:ldap_user_dn = cn=Directory Manager idmap config WINDOMAIN:ldap_url =ldap1.mydomain.com idmap config WINDOMAIN:range = 30000-39999 #idmap config TESTDOMAIN:backend = ldap #idmap config TESTDOMAIN:readonly = no #idmap config TESTDOMAIN:default=no #idmap config TESTDOMAIN:ldap_base_dn ou=testdomain,ou=idmap,o=mydomain.com #idmap config TESTDOMAIN:ldap_user_dn = cn=Directory Manager #idmap config TESTDOMAIN:ldap_url =ldap1.mydomain.com #idmap config TESTDOMAIN:range = 40000-49999 idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com idmap alloc config:ldap_user_dn = cn=Directory Manager idmap alloc config:ldap_url = ldap1.mydomain.com idmap alloc config:range = 70000 - 79999 ---------------------------------------------------------------------------------------------- getting the correct (or mostly correct syntax) took a little while. /etc/nsswitch.conf is configured for winbind. When I first run "wbinfo -u" and "wbinfo -g", samba would populate entries for the WINDOMAIN account in windomain,ou=idmap,o=mydomain.com. The id's would be in the 70000 range not the 30000 range- which is fine with me since entries for each domain were still in the correct ldap container. "getent passwd" and "getent group" would show the WINDOMAIN domain accounts. Everything would be fine for several days. However, after a few days, getent commands no longer showed the WINDOMAIN accounts. The only solution would be to stop windbind, delete the idmap entries from ldap, restart winbind and let the entries repopulate. Any thoughts? Thanks
I am running Samba ver 3.0.33 on Solaris 10 (sparc) as a PDC with LDAP for the backend for both samba and unix accounts. I have also set up a trust with an Windows domain- lets call it WINDOMAIN- (the PDC for the Windows domain is Win 2003 but is in mixed mode for backwards compat.) The SAMBA domain trusts the WINDOWS domain, not not vice versa. I had also tried setting up trusts with another, test domain (lets call it TESTDOMAIN.) I have winbind enabled. Initially idmap entries were stored in the local tdb backend. I switched this to ldap (wanted idmappings with in the domain to be consistent across member servers, and wanted to add a BDC.) smb.conf includes ---------------------------------------------------------------------------------------------- passdb backend = ldapsam:ldap://ldap1.mydomain.com ldap suffix=o=mydomain.com ldap user suffix=ou=people ldap group suffix=ou=smb_groups ldap machine suffix=ou=machines ldap admin dn="cn=Directory Manager" ldap ssl = no ldap passwd sync = no ldap idmap suffix=ou=idmap winbind enum users = Yes winbind enum groups = no winbind use default domain = no winbind trusted domains only = no #ldap time out default is 15 sec ldap timeout=30 # idmap domains = WINDOMAIN, TESTDOMAIN idmap domains = WINDOMAIN idmap config WINDOMAIN:backend = ldap idmap config WINDOMAIN:readonly = no idmap config WINDOMAIN:default=no idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com idmap config WINDOMAIN:ldap_user_dn = cn=Directory Manager idmap config WINDOMAIN:ldap_url =ldap1.mydomain.com idmap config WINDOMAIN:range = 30000-39999 #idmap config TESTDOMAIN:backend = ldap #idmap config TESTDOMAIN:readonly = no #idmap config TESTDOMAIN:default=no #idmap config TESTDOMAIN:ldap_base_dn =ou=testdomain,ou=idmap,o=mydomain.com #idmap config TESTDOMAIN:ldap_user_dn = cn=Directory Manager #idmap config TESTDOMAIN:ldap_url =ldap1.mydomain.com #idmap config TESTDOMAIN:range = 40000-49999 idmap alloc backend = ldap idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com idmap alloc config:ldap_user_dn = cn=Directory Manager idmap alloc config:ldap_url = ldap1.mydomain.com idmap alloc config:range = 70000 - 79999 ---------------------------------------------------------------------------------------------- getting the correct (or mostly correct syntax) took a little while. /etc/nsswitch.conf is configured for winbind. When I first run "wbinfo -u" and "wbinfo -g", samba would populate entries for the WINDOMAIN account in windomain,ou=idmap,o=mydomain.com. The id's would be in the 70000 range not the 30000 range- which is fine with me since entries for each domain were still in the correct ldap container. "getent passwd" and "getent group" would show the WINDOMAIN domain accounts. Everything would be fine for several days. However, after a few days, getent commands no longer showed the WINDOMAIN accounts. The only solution would be to stop windbind, delete the idmap entries from ldap, restart winbind and let the entries repopulate. I am unclear on if the "idmap config SOMEDOMAIN:range" setting for each domain should be within the "idmap alloc config:range" The syntax for this seems to change with different versions of samba. Any thoughts? Thanks
Possibly Parallel Threads
- Samba trusts, mapping issue, and pam crap domain
- Domain trust between a Samba PDC domain and W2K ADdomain
- samba 3.4.5 idmap alloc broken - more details
- Winbind behaviour odd in 3.4.9 and 3.5.6 vs 3.2.14 (Samba domain with Samba member servers)
- 3.6.6 map untrusted to domain does not work if winbind is running