samba idmap questions
leet at leenx.co.za
Wed Oct 15 07:27:32 GMT 2003
Birger Wathne wrote:
>I have found some docs referring to the idmap backend stuff as implemented and tested, but not documented. Well. There is some
Same ... I ask a few times on the list mail lists, but everybody is
very busy at the moment ...
>documentation. Perhaps enough for someone who knows LDAP. But not enough for me...
Had problems with both the tdb and the ldap idmap backends ... don't
feel bad ...
>Could you help a bit, og give some pointers?
I can try ...
>I need to know what to do on the LDAP server end.
Well, you have to import or setup your schema to support Samba3, in
my case OpenLDAP, Samba3 supplies schema's for IBM and Novel Directory
services ... can't remeber the product names, sorry ..
> I hope I can use AD to hold the idmap?
I throught about that too, but a few things that come to mind as
possible problems ... first, AD only syncs to AD, so using AD replicate
your idmap to other servers does not make sense ... two, the reason to
use idmap in LDAP, is to have the same idmap in lots of places, that is
why I think IBM and Novel directories are supported ... otherwise, if
you are using idmap on only one computer, it's best to use the tdb for
storage ... unless, you are like me, and want to change the mappings,
which I was not able to figure out how to do with tdb, but with ldap, I
can fire up my LDAP browser and make my changes, which seem to work ...
Also, remember that tdb is faster than LDAP, less over head ...
> What do I need to do to create it?
Create and update AD schema to support Samba3 ... that I don't know,
had enough problems tring to get mt sendmail updates in, I don't know
how much trouble that will cuase you ...
> The contents in our AD domain comes from a central database, so I should be able to generate the idmap from there as well.
Well, once you start winbindd, and do a "getent passwd", it should
fill in your idmap ... at least that is my experince ...
>I currently have a samba 3.0 server joined into our AD domain(s). I was pleasantly surprised when I managed to join one domain using an admin user belonging to another domain (yes, the trust should be there. The surprise was that it actually worked from samba). I still have some problems... like I can list AD users, I can authenticate using AD users from windows clients when accessing printers on this samba server, etc... but I just cannot log in using AD accounts. I can su to them... so I guess the problem is password authentication in pam somewhere... And I need the idmap backend ldap database before this can go into production.
Would recommend OpenLDAP for idmap, unless you know how to sync Ad
with other LDAP servers, or are willing to send alot of LDAP queries to
your AD server ...
>By the way: I am using RedHat 9 and the binary RPM's from the samba ftp site.
Two things that I ran into, first been that is your security = ADS,
with RedHat 9, which ships with krb5 1.2.7, which does not support one
of encoding systems ( don't slap for wrong terms, think I got the right
idea ) ... Because I am testing with Win2K3, you will have to set the
auth user for winbind, with wbinfo
--set-auth-user=AdminUsername%Password, then restart winbind ...
This is the sequence I do to test my system ...
modify /etc/krb5.conf ( cheat a little and use RedHat authconfig and
fill in Kerberos 5 details under the Authentication Configuration page )
kinit -V AdminUsername at EXAMPLE.NET
net ads join AdminUsername
modify /etc/nsswitch.conf ( add in winbind after passwd, group and
modify /etc/pam.d/system-auth ( again I cheat a little, I duplicate
all the krb5 lines and replace with winbind )
mail login ( telnet, ssh and ftp need a good shell, like bash )
security = domain ( I am able to get users to login using Win
clients ..., had problems with signing if security=ads, still looking
into this )
I hope this helps ..
More information about the samba-technical