[Samba] Do I need winbind or ou=idmap?

Márcio Merlone marcio.merlone at a1.ind.br
Mon Sep 1 07:13:10 MDT 2014 

Hi,

Please correct any wrong statement below :)

I have this machine to be promoted to our file server:

- Ubuntu 12.04
- Samba 3.6.3-2ubuntu2.11 as *Domain Member*
- LDAP slave from the PDC,
- libnss-ldap and libpam-ldap, getent OK from LDAP

With the following (sanitized output from testparm) smb.conf:

[global]
     workgroup = FOOBAR
     security = DOMAIN
     passdb backend = ldapsam:ldap://localhost
     name resolve order = wins bcast lmhosts hosts
     dns proxy = No
     wins server = <pdc.ip.add.ress>
     ldap admin dn = cn=admin,ou=FOOBAR
     ldap delete dn = Yes
     ldap group suffix = ou=Group
     ldap idmap suffix = ou=idmap
     ldap machine suffix = ou=Host
     ldap passwd sync = yes
     ldap suffix = ou=FOOBAR
     ldap ssl = no
     ldap user suffix = ou=People
     idmap config * : backend = tdb

The _ou=idmap tree on LDAP is completely empty_.
Users and groups on LDAP already have their samba attributes, users also 
have their sambaProfilePath, sambaHomePath, sambaHomeDrive and 
sambaLogonScript information on LDAP, so I won't need corresponding 
defaults on smb.conf.

BUT winbindd man page says:

> Even if winbind is not used for nsswitch, it still provides a service 
> to *smbd*, ntlm_auth and the
>        pam_winbind.so PAM module, by managing connections to domain 
> controllers. In this configuration the idmap
>        config * : range parameter is not required. (This is known as 
> `netlogon proxy only mode´.)

Given I don't use ntlm_auth nor pam_winbind, but (obviously) use smbd I 
may ask:
1. Do I need any of the idmap * or winbind params on smb.conf?
2. Will I benefit from winbind somehow or will it just be on the way?
3. Do I need winbind running at all?
4. Given I have the required builtin groups on LDAP (Domain Admins, 
Domain Groups, etc), and all other groups have their samba information 
already there by other 3rd party tool (LdapAdmin), is there any need to 
"net groupmap" something?
5. Can ou=idmap,ou=FOOBAR be removed?

Thanks in advance and best regards.

-- 
*Marcio Merlone*

More information about the samba mailing list