Hi,
I tried to configure the new idmap interface. Currently without much success.
I have two samba domains, trusting each other. Each PDC using it's own LDAP
server. I tried
idmap domains = DOM1, DOM2
idmap config DOM1:default = yes
idmap config DOM1:backend = ldap
idmap config DOM1:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de
idmap config DOM1:ldap_url = ldap://192.168.0.1
idmap config DOM1:range = 10000 - 20000
idmap alloc backend = ldap
idmap config DOM2:default = no
idmap config DOM2:backend = ldap
idmap config DOM2:ldap_base_dn = ou=Idmap,dc=dom2,dc=mydomain,dc=de
idmap config DOM2:ldap_url = ldap://192.168.1.1
idmap config DOM2:range = 10000 - 20000
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/false
winbind nested groups = yes
winbind cache time = 300
winbind nss info = template
winbind use default domain = yes
But then I have the problem, that samba used the "ldap admin dn"
account and
password for both LDAP server, but each have it's own. How can I configure a
second password for my trusted domain?
Is there any usefull documentation, best would be with different samples, of
the new idmap interface? The manpage didn't helped me much for understanding
this.
Regards
Marc
On Tue, 2007-09-11 at 14:39 +0200, Marc Muehlfeld wrote:> Hi, > > I tried to configure the new idmap interface. Currently without much success. > > I have two samba domains, trusting each other. Each PDC using it's own LDAP > server. I tried > > idmap domains = DOM1, DOM2 > idmap config DOM1:default = yes > idmap config DOM1:backend = ldap > idmap config DOM1:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de > idmap config DOM1:ldap_url = ldap://192.168.0.1 > idmap config DOM1:range = 10000 - 20000 > idmap alloc backend = ldap-----------^^^^^^^^^^^^^^^^^^^^^^^^^^ this is not enough, you have to explicitly configure the alloc backend For example: idmap alloc config:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de idmap alloc config:ldap_user_dn = <the privileged user dn> idmap alloc config:ldap_url = ldap://192.168.0.1 idmap alloc config:range = 10000-20000> idmap config DOM2:default = no > idmap config DOM2:backend = ldap > idmap config DOM2:ldap_base_dn = ou=Idmap,dc=dom2,dc=mydomain,dc=de > idmap config DOM2:ldap_url = ldap://192.168.1.1 > idmap config DOM2:range = 10000 - 20000 > > idmap uid = 10000-20000 > idmap gid = 10000-20000no need to add these if you use the new options> winbind separator = + > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%U > template shell = /bin/false > winbind nested groups = yes > winbind cache time = 300 > winbind nss info = template > winbind use default domain = yes > > But then I have the problem, that samba used the "ldap admin dn" account and > password for both LDAP server, but each have it's own. How can I configure a > second password for my trusted domain?you have to specify the ldap_user_dn option for each domain and the use net idmap secret In your case probably net idmap secret DOM1 <secret1> net idmap secret alloc <secret1> net idmap secret DOM2 <secret2> However if you read the man pages for idamp_ldap you will find all these informations.> Is there any usefull documentation, best would be with different samples, of > the new idmap interface? The manpage didn't helped me much for understanding this.Maybe because you didn't read the actually relevant man page: man idmap_ldap Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: idra@samba.org http://samba.org
Sorry if I already asked about this, do you see the TestGroup from PASING if you do a getent PASING\\TestGroup ? If so there seem to be something fishy as from the log it seem to recognize this group comes from the trusted domain, but still tries to see if it is mapped with Group Mapping, might be a bug, need to drill more into it, and unfortunately, right now I don;t have a setup like yours to test. Simo. On Wed, 2007-09-12 at 09:49 +0200, Marc Muehlfeld wrote:> Hi, > > for easier explanation I used easy expressions on my last postings. Below I > provide the original messages/logs, because I don't wanna confuse someone in > this huge logfile. > > Just for explanation: > MUC = First domain > GENOME = PDC of MUC (Samba 3.0.22) > OPERON = MemberServer in domain MUC (Samba 3.0.26a) > IT-10 = Workstation in domain PASING (WinXP SP2) > PASING = Second domain > CODON = PDC of PASING (Samba 3.0.25c) > > > > simo schrieb: > > This is smbd trying to find the group in its SAM (which happens to be on > > LDAP as well). Are you sure you have a trust with DOM2 ? > > # net rpc trustdom list > Trusted domains list: > > PASING S-1-5-21-1183370737-3874734740-1589004535 > > Trusting domains list: > > PASING S-1-5-21-1183370737-3874734740-1589004535 > > > > > If so can you please provide the full file log, as before this call > > there may be useful information.-- Simo Sorce Samba Team GPL Compliance Officer email: idra@samba.org http://samba.org
simo schrieb:> Sorry if I already asked about this, do you see the TestGroup from > PASING if you do a getent PASING\\TestGroup ?Do you mean a "getent group" from a member of the PASING domain? Yes. # getent group | grep TestGroup TestGroup:x:7500:muehlfeld>From the MUC member server I also see the group trough winbind:# wbinfo -g | grep -i TestGroup PASING+testgroup> If so there seem to be something fishy as from the log it seem to > recognize this group comes from the trusted domain, but still tries to > see if it is mapped with Group Mapping, might be a bug, need to drill > more into it, and unfortunately, right now I don;t have a setup like yours > to test.Just tell me what I could do for you to find what could be wrong. Regards Marc
Is it the same problem I tried to explain here? http://lists.samba.org/archive/samba/2007-September/135060.html It looks like a bug to me as it works in 3.0.24 Regards, Thomas Marc Muehlfeld schrieb: > simo schrieb: >> Sorry if I already asked about this, do you see the TestGroup from >> PASING if you do a getent PASING\\TestGroup ? > > Do you mean a "getent group" from a member of the PASING domain? Yes. > > # getent group | grep TestGroup > TestGroup:x:7500:muehlfeld > > >> From the MUC member server I also see the group trough winbind: > > # wbinfo -g | grep -i TestGroup > PASING+testgroup > > > >> If so there seem to be something fishy as from the log it seem to >> recognize this group comes from the trusted domain, but still tries to >> see if it is mapped with Group Mapping, might be a bug, need to drill >> more into it, and unfortunately, right now I don;t have a setup like yours >> to test. > > Just tell me what I could do for you to find what could be wrong. > > > Regards > Marc > >
Reasonably Related Threads
- Problems with a trust relation between samba and samba different subnet
- Interdomain trust with different WINS servers
- Problems with a trust relation between samba and sambadifferent subnet
- Domain trusts (Again)
- Samba domain member server does not see list of users from PDC