Hi, This is probably documented somewhere very obvious but I do not seem to be able to find it. Many years ago I configured my Samba server with an LDAP backend. I also put in the parameter 'ldap idmap suffix = ou=Idmap' in my smb.conf file too as per: <http://au1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain- member.html#id2571568> Amazingly enough I now have to add two more members servers, checking via GQ I see that the ou=Idmap tree is actually empty. Should it be? If not, how can I -- is there a way, even -- have it populated with the existing Idmaps? My users are able to login to their machines perfectly fine (everything is run via LDAP). Thanks, Anand
On Sun, Apr 13, 2008 at 10:23 PM, Anand Kumria <wildfire@progsoc.org> wrote:> > Hi, > > This is probably documented somewhere very obvious but I do not seem to > be able to find it. > > Many years ago I configured my Samba server with an LDAP backend. I also > put in the parameter 'ldap idmap suffix = ou=Idmap' in my smb.conf file > too as per: > > <http://au1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain- > member.html#id2571568> > > Amazingly enough I now have to add two more members servers, checking via > GQ I see that the ou=Idmap tree is actually empty. > > Should it be? > > If not, how can I -- is there a way, even -- have it populated with the > existing Idmaps? My users are able to login to their machines perfectly > fine (everything is run via LDAP). >For a samba 3.0.28a member server using domain security and ldap and winbind enabled I had the same problem a few weeks ago and it ended up preventing my acls from working correctly. Basically after adding acls in windows xp they would be removed after applying. There would be an error in the samba logs. Something like could not allocate a UID or GID. I checked my ldap and the idmap tree was completely empty. So I decided to see if I could tell the format of what belongs in there and if I entered it would that fix the problem. I googled for a while and found a red hat doc that showed a slapcat with idmap entries. I Then added the entry for a test user via slapadd and then I added the user to an acl in windows and clicked accept and it took. So I looked deeper into the error and I found the two wbinfo allocate calls fail: # wbinfo --allocate-uid Could not allocate a uid # wbinfo --allocate-gid Could not allocate a gid but most other wbinfo stuff works ( -u -g -t ...) So at this point I set my winbind to use tdbsam and then I restarted samba and sure enough the properties tab of XP worked as expected. At that point I found a tool that would dump what was in a .tdb file and I wrote a shell script to populate the ldap with that. I am sorry I am not more specific but I am not at work and I did this stuff over a month ago. Anyways after populating the idmap tree from the .tdb file (in /var/cache/samba/) my acls work in XP for all users and groups that are in the tree. I switched back to using ldap to store winbind data because this is by no means the only samba server on our network. John
idmap will only be populated if you are using winbind. Anand Kumria wrote:> Hi, > > This is probably documented somewhere very obvious but I do not seem to > be able to find it. > > Many years ago I configured my Samba server with an LDAP backend. I also > put in the parameter 'ldap idmap suffix = ou=Idmap' in my smb.conf file > too as per: > > <http://au1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain- > member.html#id2571568> > > Amazingly enough I now have to add two more members servers, checking via > GQ I see that the ou=Idmap tree is actually empty. > > Should it be? > > If not, how can I -- is there a way, even -- have it populated with the > existing Idmaps? My users are able to login to their machines perfectly > fine (everything is run via LDAP). > > Thanks, > Anand > >
On Mon, Apr 14, 2008 at 9:32 AM, Adam Williams <awilliam@mdah.state.ms.us> wrote:> idmap will only be populated if you are using winbind. >In my case I was using winbind and it was not populated because winbind could not allocate a uid or gid. Any ideas how to debug that? John
Hi Adam, On Mon, 14 Apr 2008 08:32:31 -0500, Adam Williams wrote:> idmap will only be populated if you are using winbind.Ah, that is definately not clear from what I read. The configuration example and text <http://us3.samba.org/samba/docs/man/ Samba-HOWTO-Collection/passdb.html#idmapbackendexample> seem to indicate that I can just use the idmap parameters and it will be populated. Perhaps, though, I am asking the wrong question. Here is what I have (on one Linux server): - OpenLDAP - Samba 3.0, user data stored in LDAP - local Unix users / groups resolved via LDAP I have added another Linux machine and local Unix users / groups are resolved via LDAP. I now want to have Samba on this additional machine also reference the existing directory information. Should I be running winbindd in this situation? Thanks, Anand
Anand Kumria wrote:> Hi Adam, > > On Mon, 14 Apr 2008 08:32:31 -0500, Adam Williams wrote: > > <snip> > Here is what I have (on one Linux server): > - OpenLDAP > - Samba 3.0, user data stored in LDAP > - local Unix users / groups resolved via LDAP > > I have added another Linux machine and local Unix users / groups are > resolved via LDAP. I now want to have Samba on this additional machine > also reference the existing directory information. > > Should I be running winbindd in this situation? >Not really, winbind is used for things like a samba server authenticating against a Windows server and NTLM authentication. You can just make the second box look at the ldap server on the first, or if you like, run an ldap slave on the second machine for redundancy and have samba look at that.> Thanks, > Anand > >*Michael Heydon - IT Administrator * michaelh@jaswin.com.au <mailto:michaelh@jaswin.com.au>
> > Should I be running winbindd in this situation? > > > > > Not really, winbind is used for things like a samba server authenticating > against a Windows server and NTLM authentication. > > You can just make the second box look at the ldap server on the first, or > if you like, run an ldap slave on the second machine for redundancy and have > samba look at that. > >I have found that winbind is needed also in a samba domain if you want the windows properties tab to show the user names for acls other than the default. Without winbind sids will be shown for all extended acls in the properties tab. John
> Perhaps, though, I am asking the wrong question.> > Here is what I have (on one Linux server): > - OpenLDAP > - Samba 3.0, user data stored in LDAP > - local Unix users / groups resolved via LDAP > > I have added another Linux machine and local Unix users / groups are > resolved via LDAP. I now want to have Samba on this additional machine > also reference the existing directory information. > > Should I be running winbindd in this situation? > If you are not using windows machines with samba you do not need winbind or idmap. John -- John M. Drescher