[Samba] Questions about the new idmap interface
Marc Muehlfeld
Marc.Muehlfeld at medizinische-genetik.de
Tue Sep 11 15:09:54 GMT 2007
Hi,
I changed the settings in smb.conf according to your reply to:
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/false
winbind nested groups = yes
winbind cache time = 300
winbind nss info = template
winbind use default domain = yes
idmap domains = DOM1, DOM2
idmap config DOM1:default = yes
idmap config DOM1:backend = ldap
idmap config DOM1:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de
idmap config DOM1:ldap_url = ldap://192.168.0.1
idmap config DOM1:range = 10000 - 20000
idmap config DOM1:ldap_user_dn = uid=samba,ou=Users,dc=dom1,dc=mydomain,dc=de
idmap config DOM2:default = no
idmap config DOM2:backend = ldap
idmap config DOM2:ldap_base_dn = ou=Idmap,dc=dom2,dc=mydomain,dc=de
idmap config DOM2:ldap_url = ldap://192.168.1.1
idmap config DOM2:range = 10000 - 20000
idmap config DOM2:ldap_user_dn = uid=samba,ou=Users,dc=dom2,dc=mydomain,dc=de
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de
idmap alloc config:ldap_user_dn = uid=samba,ou=Users,dc=dom1,dc=mydomain,dc=de
idmap alloc config:ldap_url = ldap://192.168.0.1
idmap alloc config:range = 10000-20000
simo schrieb:
> In your case probably
>
> net idmap secret DOM1 <secret1>
> net idmap secret alloc <secret1>
> net idmap secret DOM2 <secret2>
>
> However if you read the man pages for idamp_ldap you will find all these
> informations.
I read it, but not the note where something about using net idmap is said for
setting the password. I meanwhile set the secrets.
>> Is there any usefull documentation, best would be with different samples, of
>> the new idmap interface? The manpage didn't helped me much for understanding this.
>
> Maybe because you didn't read the actually relevant man page:
> man idmap_ldap
For me it was very confusing for my trusted domain environment. Currently i'm
not sure if I really need the two idmap configs. I just have the problem that
I can't connect from a DOM2 workstation to a share on a MemberServer of DOM1.
On this share I setup "valid users = +"DOM1\Group1" +"DOM2\Group2".
Connections from DOM1 workstations are fine (if I'm in Group1), but not from
DOM2 (if I'm member of DOM2\Group2). It seems the group of the remote domain
is searched inside the LDAP of DOM1 (why isn't winbind just getting the
information from the responsible DC?).
[2007/09/11 17:02:57, 5] lib/smbldap.c:smbldap_search_ext(1182)
smbldap_search_ext: base => [ou=Groups,dc=dom1,dc=mydomain,dc=de], filter
=>
[(&(objectClass=sambaGroupMapping)(|(displayName=TestGroup)(cn=TestGroup)))],
scope => [2]
[2007/09/11 17:02:57, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2235)
ldapsam_getgroup: Did not find group
[2007/09/11 17:02:57, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/09/11 17:02:57, 5] smbd/share_access.c:token_contains_name(118)
lookup_name DOM2+Group2 failed
[2007/09/11 17:02:57, 10] smbd/share_access.c:user_ok_token(211)
User muehlfeld not in 'valid users'
[2007/09/11 17:02:57, 2] smbd/service.c:make_connection_snum(616)
user 'muehlfeld' (from session setup) not permitted to access this share
(intranet)
[2007/09/11 17:02:57, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
Marc
More information about the samba
mailing list