[Samba] Questions about the new idmap interface

Marc Muehlfeld Marc.Muehlfeld at medizinische-genetik.de
Tue Sep 11 15:09:54 GMT 2007 

Hi,

I changed the settings in smb.conf according to your reply to:

   winbind separator = +
   winbind enum users = yes
   winbind enum groups = yes
   template homedir = /home/%U
   template shell = /bin/false
   winbind nested groups = yes
   winbind cache time = 300
   winbind nss info = template
   winbind use default domain = yes

   idmap domains = DOM1, DOM2
   idmap config DOM1:default      = yes
   idmap config DOM1:backend      = ldap
   idmap config DOM1:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de
   idmap config DOM1:ldap_url     = ldap://192.168.0.1
   idmap config DOM1:range        = 10000 - 20000
   idmap config DOM1:ldap_user_dn = uid=samba,ou=Users,dc=dom1,dc=mydomain,dc=de

   idmap config DOM2:default      = no
   idmap config DOM2:backend      = ldap
   idmap config DOM2:ldap_base_dn = ou=Idmap,dc=dom2,dc=mydomain,dc=de
   idmap config DOM2:ldap_url     = ldap://192.168.1.1
   idmap config DOM2:range        = 10000 - 20000
   idmap config DOM2:ldap_user_dn = uid=samba,ou=Users,dc=dom2,dc=mydomain,dc=de

   idmap alloc backend             = ldap
   idmap alloc config:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de
   idmap alloc config:ldap_user_dn = uid=samba,ou=Users,dc=dom1,dc=mydomain,dc=de
   idmap alloc config:ldap_url     = ldap://192.168.0.1
   idmap alloc config:range        = 10000-20000






simo schrieb:
> In your case probably
> 
> net idmap secret DOM1 <secret1>
> net idmap secret alloc <secret1>
> net idmap secret DOM2 <secret2>
> 
> However if you read the man pages for idamp_ldap you will find all these
> informations.

I read it, but not the note where something about using net idmap is said for 
setting the password. I meanwhile set the secrets.



>> Is there any usefull documentation, best would be with different samples, of 
>> the new idmap interface? The manpage didn't helped me much for understanding this.
> 
> Maybe because you didn't read the actually relevant man page:
> man idmap_ldap

For me it was very confusing for my trusted domain environment. Currently i'm 
not sure if I really need the two idmap configs. I just have the problem that 
I can't connect from a DOM2 workstation to a share on a MemberServer of DOM1. 
  On this share I setup "valid users = +"DOM1\Group1" +"DOM2\Group2". 
Connections from DOM1 workstations are fine (if I'm in Group1), but not from 
DOM2 (if I'm member of DOM2\Group2). It seems the group of the remote domain 
is searched inside the LDAP of DOM1 (why isn't winbind just getting the 
information from the responsible DC?).

[2007/09/11 17:02:57, 5] lib/smbldap.c:smbldap_search_ext(1182)
   smbldap_search_ext: base => [ou=Groups,dc=dom1,dc=mydomain,dc=de], filter 
=> 
[(&(objectClass=sambaGroupMapping)(|(displayName=TestGroup)(cn=TestGroup)))], 
scope => [2]
[2007/09/11 17:02:57, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2235)
   ldapsam_getgroup: Did not find group
[2007/09/11 17:02:57, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/09/11 17:02:57, 5] smbd/share_access.c:token_contains_name(118)
   lookup_name DOM2+Group2 failed
[2007/09/11 17:02:57, 10] smbd/share_access.c:user_ok_token(211)
   User muehlfeld not in 'valid users'
[2007/09/11 17:02:57, 2] smbd/service.c:make_connection_snum(616)
   user 'muehlfeld' (from session setup) not permitted to access this share 
(intranet)
[2007/09/11 17:02:57, 3] smbd/error.c:error_packet_set(106)
   error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED



Marc

More information about the samba mailing list