samba idmap questions

C.Lee Taylor leet at
Wed Oct 15 07:27:32 GMT 2003

Birger Wathne wrote:

>I have found some docs referring to the idmap backend stuff as implemented and tested, but not documented. Well. There is some 
    Same ... I ask a few times on the list mail lists, but everybody is 
very busy at the moment ...

>documentation. Perhaps enough for someone who knows LDAP. But not enough for me...
    Had problems with both the tdb and the ldap idmap backends ... don't 
feel bad ...

>Could you help a bit, og give some pointers?
    I can try ...

>I need to know what to do on the LDAP server end.
    Well, you have to import or setup your schema to support Samba3, in 
my case OpenLDAP, Samba3 supplies schema's for IBM and Novel Directory 
services ... can't remeber the product names, sorry ..

> I hope I can use AD to hold the idmap?
    I throught about that too, but a few things that come to mind as 
possible problems ... first, AD only syncs to AD, so using AD replicate 
your idmap to other servers does not make sense ... two, the reason to 
use idmap in LDAP, is to have the same idmap in lots of places, that is 
why I think IBM and Novel directories are supported ... otherwise, if 
you are using idmap on only one computer, it's best to use the tdb for 
storage ... unless, you are like me, and want to change the mappings, 
which I was not able to figure out how to do with tdb, but with ldap, I 
can fire up my LDAP browser and make my changes, which seem to work ...

    Also, remember that tdb is faster than LDAP, less over head ...

> What do I need to do to create it?
    Create and update AD schema to support Samba3 ... that I don't know, 
had enough problems tring to get mt sendmail updates in, I don't know 
how much trouble that will cuase you ...

> The contents in our AD domain comes from a central database, so I should be able to generate the idmap from there as well.
    Well, once you start winbindd, and do a "getent passwd", it should 
fill in your idmap ... at least that is my experince ...

>I currently have a samba 3.0 server joined into our AD domain(s). I was pleasantly surprised when I managed to join one domain using an admin user belonging to another domain (yes, the trust should be there. The surprise was that it actually worked from samba). I still have some problems... like I can list AD users, I can authenticate using AD users from windows clients when accessing printers on this samba server, etc... but I just cannot log in using AD accounts. I can su to them... so I guess the problem is password authentication in pam somewhere... And I need the idmap backend ldap database before this can go into production.
    Would recommend OpenLDAP for idmap, unless you know how to sync Ad 
with other LDAP servers, or are willing to send alot of LDAP queries to 
your AD server ...

>By the way: I am using RedHat 9 and the binary RPM's from the samba ftp site.
    Two things that I ran into, first been that is your security = ADS, 
with RedHat 9, which ships with krb5 1.2.7, which does not support one 
of encoding systems ( don't slap for wrong terms, think I got the right 
idea ) ... Because I am testing with Win2K3, you will have to set the 
auth user for winbind, with wbinfo 
--set-auth-user=AdminUsername%Password, then restart winbind ...

    This is the sequence I do to test my system ...

    modify /etc/krb5.conf ( cheat a little and use RedHat authconfig and 
fill in Kerberos 5 details under the Authentication Configuration page )
    kinit -V AdminUsername at EXAMPLE.NET
    net ads join AdminUsername
    start winbindd
    wbinfo --set-auth-user=AdminUsername%Password
    wbinfo -t
    wbinfo -u
    modify /etc/nsswitch.conf ( add in winbind after passwd, group and 
hosts )
    modify /etc/pam.d/system-auth ( again I cheat a little, I duplicate 
all the krb5 lines and replace with winbind )
    getent passwd
    mail login ( telnet, ssh and ftp need a good shell, like bash )
    security = domain ( I am able to get users to login using Win 
clients ..., had problems with signing if security=ads, still looking 
into this )

    I hope this helps ..


More information about the samba-technical mailing list