Samba4: idmap replication between 2 DC's

steve steve at
Wed Jul 11 23:46:22 MDT 2012

On 11/07/12 23:45, Gémes Géza wrote:
> 2012-07-11 21:44 keltezéssel, steve írta:
>> On 11/07/12 21:23, Gémes Géza wrote:
>>> 2012-07-11 10:58 keltezéssel, steve írta:
>>>> Hi
>>>> Is it possible to get idmap.ldb replicated across 2 DC's as well as
>>>> the directory partitions?
>>>> I make changes to id mappings for our Linux users. This is not a
>>>> problem with NFS, but becomes an issue when Linux users are working on
>>>> cifs mounted shares. The uidNumber issued by DC2 is not the same as
>>>> the uidNumber issued by DC1.
>>>> Cheers,
>>>> Steve
>>> Hi Steve,
>>> If you put
>>> idmap_ldb:use rfc2307 = yes
>>> in your smb.conf then setting the uids gids in AD will guarantee that
>>> they are the same across your samba4/s3fs servers, because then they
>>> will get that from AD instead of their private idmap (with a fail-back
>>> to idmap, if the entry has no uid/gid set).
>>> Regards
>>> Geza
>> Hi Geza
>> I don't think
>>  idmap_ldb:use rfc2307 = yes
>> works in Samba4 with s3fs
>> It doesn't appear as an option in
>>  testparm -v either
>> It doesn't have any effect here even though we store all our rfc2307
>> information in the directory.
>> Quote from the other thread:
>> 's3fs and the Samba4 DC use a different winbindd implementation to the
>> one that Christof is patching.  For that reason, these patches simply
>> won't have any benefit for you on the Samba4 DC.
>> Cheers
>> Andrew Bartlett'
>> Geza, does it work for you?
> Yes, but my test domain was upgraded from samba3 in which case the
> provision automatically puts idmap_ldb:use rfc2307 = yes in smb.conf
> I don't know s3fs where does sid<->xid operations, but with wbinfo I've
> checked and the information is retrieved from AD.
> Regards
> Geza
Hi Geza.

That's frustrating. We are not using winbindd (but are using winbind if 
you see what I mean). Is there anything else you have in smb.conf that 
would affect this? Our nsswitch settings are:
passwd: files ldap
group: files ldap
and our smb.conf is:
	server role = domain controller
	workgroup = MARINA
	realm =
	netbios name = HH1
	passdb backend = samba4
	idmap_ldb:use rfc2307 = yes

  On the PDC idmap mappings are the same as those in the AD (we have a 
script that does this when we add e.g. a new group). Even though it 
works and users and groups are correctly mapped from on eithr DC, we 
would like the mappings to come from AD rather than idmap. mainly for 
the sake of maintenance and readability.

Is there any way we can do this?

More information about the samba-technical mailing list