[Samba] Winbind to use Windows ADS LDAP as IDMAP backend
David Roid
dataroid at gmail.com
Thu Nov 17 04:04:04 MST 2011
Greetings list,
This sounds sort of twisted but in its essence Windows ADS has an LDAP
server too, so here is what I do hoping it'll work:
1. Install Utilities and SDK for UNIX-based application and Identity
Management for UNIX on Windows server 2003, create a new OU named "idmap".
2. Configure smb.conf as per Samba HOWTO chapter 14 "IDMAP storage in LDAP
using winbind"
ldap admin dn = cn=administrator,cn=users,dc=mydom,dc=com
ldap idmap suffix = ou=idmap
ldap suffix = dc=mydom,dc=com
idmap backend = ldap:"ldap://<my windows domain controller, also
LDAP server>"
idmap uid = 10000-1000000
idmap gid = 10000-1000000
3. Join the domain, fine; run ldapsearch, fine; wbinfo -u, fine; wbinfo -g,
fine.
4. Problem: wbinfo -i <domain user>, doesn't work, something wrong with
idmap allocator, see the log
==> /var/log/messages <==
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]: [2011/11/17
18:48:47.830454, 0] winbindd/idmap.c:201(smb_register_idmap_alloc)
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]: idmap_alloc
module tdb already registered!
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]: [2011/11/17
18:48:47.830566, 0] winbindd/idmap.c:149(smb_register_idmap)
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]: Idmap module
passdb already registered!
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]: [2011/11/17
18:48:47.830608, 0] winbindd/idmap.c:149(smb_register_idmap)
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]: Idmap module
nss already registered!
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]: [2011/11/17
18:48:47.833394, 0] winbindd/idmap.c:599(idmap_alloc_init)
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]: ERROR:
Initialization failed for alloc backend, deferred!
So this looks like Samba/winbind can read but cannot write to Windows LDAP
backend, hence no domain users get any UID, is this so? Any possibility to
fix this?
p.s. I also tried openLDAP on Linux as IDMAP backend, it works very smooth
with Samba.
Cheers
-David
More information about the samba
mailing list