[Samba] ID mapping

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Apr 16 15:19:05 MDT 2014 

It seems each .x  version change (e.g. 3.x.y)   changes the idmap config 
and functionality


I also use Winbind for domain trusts (samba 3.6.y)

................

idmap config * : backend = tdb
idmap config * : range = 70000-79000


#IDMAP DEFAULT ALLOC
# 1/24/14 -  Samba 3.6 drops "idmap alloc backend"
# 1/24/14 idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://myserver.mydomain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
idmap alloc config:ldap_user_dn = cn=LDAP_Administrator
idmap alloc config:range = 30000 - 79999

idmap config OTHERDOMAIN:backend = ldap
idmap config OTHERDOMAIN:readonly = no
idmap config OTHERDOMAIN:default=no
idmap config OTHERDOMAIN:ldap_base_dn = ou=otherdomain,ou=idmap,o=ssci.com
idmap config OTHERDOMAIN:ldap_user_dn = cn=LDAP_Administrator
idmap config OTHERDOMAIN:ldap_url = ldap://myserver.mydomain.com
idmap config OTHERDOMAIN:range = 30000-39999
#is following legit?
idmap config OTHERDOMAIN:suffix=ou=otherdomain,ou=idmap


...........................................................................


Depending on the version of samba I sometimes had to use an LDAP editor 
(e.g. Apache Directory Studio) to manually create or edit entries when I 
added people to the trusted/trusting domain (Windows 2003 Active 
Directory.)     Fortunately that domain only had about 6 people and the 
turnover was very low.   Samba 3.6.x seems to have got better about 
this.    I am running Samba on Solaris (with the bundled Samba packages) 
so part of this may be the Oracle/Sun developers doing a better job of 
building samba.



And make sure you run the following commands

     net idmap secret OTHERDOMAIN xxxxxx
     net idmap secret alloc  xxxxxx


wbinfo (with various switches) will make sure that the sid to ID , id to 
SID etc mappings are all correct.           The the wbinfo commands 
disagree with what you see in the ldap editor you may want to stop 
winbind, delete (or rename) all the idmap or windbind or cache tdb files 
and restart winbind.



I don't use idmapping for the local  samba domain.


I never had any luck with idmap RID backend with member server in the 
domain.     The nice thing about LDAP backend is that you can use LDAP 
tools to verify and modify entries.



On 04/16/14 15:11, Williams, Jeff wrote:
> We are using winbind because of a trust with a second domain, which is also
> served by an RHEL/Samba/LDAP server.  This allows users from that other
> domain to log into workstations that are members of this domain.  If I can
> configure the student server NOT to use winbind for users of the students
> domain, that would be fine.  But I still need to support the other domain,
> and I had understood that this would require winbind to map the users.
> Suggestions on how to accomplish this?  The same smb.conf worked fine on
> the previous (physical) server.
>

More information about the samba mailing list