[Samba] ID mapping
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Apr 16 15:19:05 MDT 2014
It seems each .x version change (e.g. 3.x.y) changes the idmap config
and functionality
I also use Winbind for domain trusts (samba 3.6.y)
................
idmap config * : backend = tdb
idmap config * : range = 70000-79000
#IDMAP DEFAULT ALLOC
# 1/24/14 - Samba 3.6 drops "idmap alloc backend"
# 1/24/14 idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://myserver.mydomain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
idmap alloc config:ldap_user_dn = cn=LDAP_Administrator
idmap alloc config:range = 30000 - 79999
idmap config OTHERDOMAIN:backend = ldap
idmap config OTHERDOMAIN:readonly = no
idmap config OTHERDOMAIN:default=no
idmap config OTHERDOMAIN:ldap_base_dn = ou=otherdomain,ou=idmap,o=ssci.com
idmap config OTHERDOMAIN:ldap_user_dn = cn=LDAP_Administrator
idmap config OTHERDOMAIN:ldap_url = ldap://myserver.mydomain.com
idmap config OTHERDOMAIN:range = 30000-39999
#is following legit?
idmap config OTHERDOMAIN:suffix=ou=otherdomain,ou=idmap
...........................................................................
Depending on the version of samba I sometimes had to use an LDAP editor
(e.g. Apache Directory Studio) to manually create or edit entries when I
added people to the trusted/trusting domain (Windows 2003 Active
Directory.) Fortunately that domain only had about 6 people and the
turnover was very low. Samba 3.6.x seems to have got better about
this. I am running Samba on Solaris (with the bundled Samba packages)
so part of this may be the Oracle/Sun developers doing a better job of
building samba.
And make sure you run the following commands
net idmap secret OTHERDOMAIN xxxxxx
net idmap secret alloc xxxxxx
wbinfo (with various switches) will make sure that the sid to ID , id to
SID etc mappings are all correct. The the wbinfo commands
disagree with what you see in the ldap editor you may want to stop
winbind, delete (or rename) all the idmap or windbind or cache tdb files
and restart winbind.
I don't use idmapping for the local samba domain.
I never had any luck with idmap RID backend with member server in the
domain. The nice thing about LDAP backend is that you can use LDAP
tools to verify and modify entries.
On 04/16/14 15:11, Williams, Jeff wrote:
> We are using winbind because of a trust with a second domain, which is also
> served by an RHEL/Samba/LDAP server. This allows users from that other
> domain to log into workstations that are members of this domain. If I can
> configure the student server NOT to use winbind for users of the students
> domain, that would be fine. But I still need to support the other domain,
> and I had understood that this would require winbind to map the users.
> Suggestions on how to accomplish this? The same smb.conf worked fine on
> the previous (physical) server.
>
More information about the samba
mailing list