[Samba] Idmap and ldap backend not working on domain member

Krištof Petr Petr at kristof.cz
Fri Feb 20 17:08:05 GMT 2004 

Hello,

on domain member idmap against ldap is not working.

I tryed to dump network communication between MEMBER and ldap
server, but Ethereal (0.10.0a)  says packets (3 pieces at all) are 
corrupted and can not be
analysed (I have ldap ssl = off).

Our setup:
Samba domain seems to be working, WinXP logons to domain and users
did not report any problems. Server is PDC on samba (3.0.2 on linux 
Fedora Core 1) and
all accounts (unix, samba) and groups (posix, samba build-in) are stored 
on ldap server.

Now, I added another samba machine as domain member.
[root at member]# net join -S PDC -UAdministrator%password
[root at member]# smbpasswd -w secret

My ldap setting is fine I hope:

[root at member]# id Administrator
uid=998(Administrator) gid=512(Domain Admins) groups=512(Domain Admins)

[root at member]# getent group "Domain Admins"
Domain Admins:x:512:Administrator

But 'net groupmap list' is not working

[root at member]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-3625374334-2768020895-3115484427-512) -> -1
Domain Guests (S-1-5-21-3625374334-2768020895-3115484427-514) -> -1
Power Users (S-1-5-32-547) -> -1

My smb.con is:

[global]
workgroup = COMPANY
netbios name = MEMBER
security = domain
password server = PDC
encrypt passwords = yes

ldap ssl = off
ldap admin dn = cn=Manager,dc=company,dc=com
ldap suffix = dc=company,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Computers
idmap backend = ldap:ldap://ldap.company.com/
ldap idmap suffix = ou=Group
idmap uid = 10000-20000
idmap gid = 10000-20000


When I make some new group mapping on MEMBER, changes are stored
locally on /var/cache/samba/*

I think the communication between MEMBER and ldap fails due some bug,
so groupmaps continues to work locally.

Thanks for advice
Petr

-- 
Chief B.O.F.H. Officer
When proprietary IM sucks - jabber://kristof.p@njs.netlab.cz
IPv4 sucks too. Ping6 to ::1/128
UTF-8 rules: +ěščřžýáíéů

More information about the samba mailing list