samba - Dec 2013 - samba4 DC, internal winbind_server: external idmap problem

Hi!


i run samba 4.1.2 in DC mode. win7 client joined to this domain
successfully.

now i try to configure external idmap.
i would like it to use our existing ldap server:

idmap config DOM : backend = rfc2307
idmap config DOM : range = 1110000-1119999
idmap config DOM : ldap_server = stand-alone
idmap config DOM : ldap_url = ldap://ldap.domain.ru
idmap config DOM : ldap_user_dn = uid=ldapmaster,cn=ldap.domain.ru
idmap config DOM : bind_path_user = cn=dom.domain.ru
idmap config DOM : bind_path_group = cn=dom.domain.ru
idmap config DOM : cache time = 1800
winbind nss info = rfc2307


i created a user 'test2' in samba DC.
in ldap.domain.ru there is the user uid=test2,cn=dom.domain.ru with
such attributes: 
uidNumber = 1113535
gidNumber = 1113535
objectSid = S-1-5-21-1982177496-2241683161-2840224108-1106 (i got it
from samba DC)

when i run wbinfo to get user's info i expect it to go to
ldap.domain.ru. but it does not happen. it looks like wbinfo
returns values from internal automatic idmap.

# wbinfo -S S-1-5-21-1982177496-2241683161-2840224108-1106
3000019
# wbinfo -U 1113535
S-1-22-1-1113535

do i misunderstand something?
is it possible to use idmap in such mode?



Regards,

-- 
Andy Igoshin <ai at vsu.ru>                 Voronezh State University
sip:          ai at vsu.ru                  Network Operation Center
phone: +7 473 2281160, ext. 2020         Voronezh, Russia

On 07/12/13 13:57, Andy Igoshin wrote:
> Hi!
>
>
> i run samba 4.1.2 in DC mode. win7 client joined to this domain
> successfully.
>
> now i try to configure external idmap.
> i would like it to use our existing ldap server:
>
> idmap config DOM : backend = rfc2307
> idmap config DOM : range = 1110000-1119999
> idmap config DOM : ldap_server = stand-alone
> idmap config DOM : ldap_url = ldap://ldap.domain.ru
> idmap config DOM : ldap_user_dn = uid=ldapmaster,cn=ldap.domain.ru
> idmap config DOM : bind_path_user = cn=dom.domain.ru
> idmap config DOM : bind_path_group = cn=dom.domain.ru
> idmap config DOM : cache time = 1800
> winbind nss info = rfc2307
>
>
> i created a user 'test2' in samba DC.
> in ldap.domain.ru there is the user uid=test2,cn=dom.domain.ru with
> such attributes:
> uidNumber = 1113535
> gidNumber = 1113535
> objectSid = S-1-5-21-1982177496-2241683161-2840224108-1106 (i got it
> from samba DC)
>
> when i run wbinfo to get user's info i expect it to go to
> ldap.domain.ru. but it does not happen. it looks like wbinfo
> returns values from internal automatic idmap.
>
> # wbinfo -S S-1-5-21-1982177496-2241683161-2840224108-1106
> 3000019
> # wbinfo -U 1113535
> S-1-22-1-1113535
>
> do i misunderstand something?
Yes, quite a lot
> is it possible to use idmap in such mode?
No, there is no 'idmap config DOM : backend = rfc2307' for instance and 
I have never heard of anybody trying what you are suggesting

You want to use AD but get the users info from an LDAP server, I do not 
think this will ever work.

I would suggest that you start here: 
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

Rowland
>
>
>
> Regards,
>

On Sat, 2013-12-07 at 17:57 +0400, Andy Igoshin wrote:
> Hi!
> 
> 
> i run samba 4.1.2 in DC mode. win7 client joined to this domain
> successfully.
> 
> now i try to configure external idmap.
> i would like it to use our existing ldap server:
> 
> idmap config DOM : backend = rfc2307
> idmap config DOM : range = 1110000-1119999
> idmap config DOM : ldap_server = stand-alone
> idmap config DOM : ldap_url = ldap://ldap.domain.ru
> idmap config DOM : ldap_user_dn = uid=ldapmaster,cn=ldap.domain.ru
> idmap config DOM : bind_path_user = cn=dom.domain.ru
> idmap config DOM : bind_path_group = cn=dom.domain.ru
> idmap config DOM : cache time = 1800
> winbind nss info = rfc2307
> 
> 
Phew. I don't think that's gonna go. I'm assuming from this
configuration, you already have (perhaps a NT) domain but none of the
information in the same exists in your new AD provision. Did you
provision the domain from scratch? If not. . .

Maybe the best way to proceed is to to use
 samba-tool domain classicupgrade
 on your existing ldap database. There's a howto here:
http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO

We see many here run into trouble trying to maintain an external second
idmap database in addition to AD. I strongly recommend storing your
existing rfc2307 attributes in the same database i.e. in AD, along with
all the other pertinent machine and user information. The classicupgrade
will get these across for you. 
> i created a user 'test2' in samba DC.
> in ldap.domain.ru there is the user uid=test2,cn=dom.domain.ru with
> such attributes: 
> uidNumber = 1113535
> gidNumber = 1113535
> objectSid = S-1-5-21-1982177496-2241683161-2840224108-1106 (i got it
> from samba DC)
> 
> when i run wbinfo to get user's info i expect it to go to
> ldap.domain.ru. but it does not happen. it looks like wbinfo
> returns values from internal automatic idmap.
> 
> # wbinfo -S S-1-5-21-1982177496-2241683161-2840224108-1106
> 3000019
> # wbinfo -U 1113535
> S-1-22-1-1113535
> 
> do i misunderstand something?
> is it possible to use idmap in such mode?
> 
OK, but remember that wbinfo isn't going to give a realistic view of
what the file system expects. E.g. does
 getent passwd test2
return anything realistic? What do you have for the passwd stanza
in /etc/nsswich.conf?
> 
We can get you there, but we don't have enough information on what you
have at the moment, especially where and what is stored in your ldap
currently.
Cheers,
Steve