Dear Samba Users,
I've got a problem with the ID-Mapping at a Samba (3.0.22 / Ubuntu
Dapper) Setup with an LDAP Backend. I do the following:
1. Access a samba share at a Samba member server from a windows client
2. Set an acl entry for a group of the domain.
The group exists an the LDAP backend as a samba group. But the member
server will create an idmap-Entry for this group. The acl entry at the
underlying filesystem will be created with the new created idmap gid.
If I do the same with a file on a share of the domain controller,
everything works as expected. On the filesystem, the ACL entry will be
created with the correct group id.
I look at the ldap logfile and see the following:
The domain controller searches for the goup entry at the LDAP backend.
It will be found. But the member server searches only for Idmap entries
at ldap. As it found no entry for the group, it will create an entry.
Where is my configuration-mistake?
* global section of smb.conf on DC
[global]
workgroup = LWLAB
domain logons = yes
domain master = yes
preferred master = yes
security = user
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=lwlab,dc=de
ldap admin dn = cn=sambaadmin,dc=lwlab,dc=de
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
#ldap idmap suffix = ou=Users
ldap passwd sync = yes
ldap delete dn = Yes
obey pam restrictions = no
idmap backend = ldap:ldap://192.168.5.11
idmap uid = 15000-20000
idmap gid = 15000-20000
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
wins support = yes
* global section of smb.conf on member server
[global]
workgroup = LWLAB
netbios name = fileserv
security = domain
wins server = 192.168.5.11
password server = 192.168.5.11
ldap suffix = dc=lwlab,dc=de
ldap admin dn = cn=sambaadmin,dc=lwlab,dc=de
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
idmap backend = ldap:ldap://192.168.5.11
ldap idmap suffix = ou=Idmap
idmap uid = 15000-20000
idmap gid = 15000-20000
Best regards,
Martin Werthmoeller