Samba4: idmap replication between 2 DC's

Gémes Géza geza at
Thu Jul 12 00:02:23 MDT 2012

2012-07-12 07:46 keltezéssel, steve írta:
> On 11/07/12 23:45, Gémes Géza wrote:
>> 2012-07-11 21:44 keltezéssel, steve írta:
>>> On 11/07/12 21:23, Gémes Géza wrote:
>>>> 2012-07-11 10:58 keltezéssel, steve írta:
>>>>> Hi
>>>>> Is it possible to get idmap.ldb replicated across 2 DC's as well as
>>>>> the directory partitions?
>>>>> I make changes to id mappings for our Linux users. This is not a
>>>>> problem with NFS, but becomes an issue when Linux users are 
>>>>> working on
>>>>> cifs mounted shares. The uidNumber issued by DC2 is not the same as
>>>>> the uidNumber issued by DC1.
>>>>> Cheers,
>>>>> Steve
>>>> Hi Steve,
>>>> If you put
>>>> idmap_ldb:use rfc2307 = yes
>>>> in your smb.conf then setting the uids gids in AD will guarantee that
>>>> they are the same across your samba4/s3fs servers, because then they
>>>> will get that from AD instead of their private idmap (with a fail-back
>>>> to idmap, if the entry has no uid/gid set).
>>>> Regards
>>>> Geza
>>> Hi Geza
>>> I don't think
>>>  idmap_ldb:use rfc2307 = yes
>>> works in Samba4 with s3fs
>>> It doesn't appear as an option in
>>>  testparm -v either
>>> It doesn't have any effect here even though we store all our rfc2307
>>> information in the directory.
>>> Quote from the other thread:
>>> 's3fs and the Samba4 DC use a different winbindd implementation to the
>>> one that Christof is patching.  For that reason, these patches simply
>>> won't have any benefit for you on the Samba4 DC.
>>> Cheers
>>> Andrew Bartlett'
>>> Geza, does it work for you?
>> Yes, but my test domain was upgraded from samba3 in which case the
>> provision automatically puts idmap_ldb:use rfc2307 = yes in smb.conf
>> I don't know s3fs where does sid<->xid operations, but with wbinfo I've
>> checked and the information is retrieved from AD.
>> Regards
>> Geza
> Hi Geza.
> That's frustrating. We are not using winbindd (but are using winbind 
> if you see what I mean). Is there anything else you have in smb.conf 
> that would affect this? Our nsswitch settings are:
> passwd: files ldap
> group: files ldap
> and our smb.conf is:
> [global]
>     server role = domain controller
>     workgroup = MARINA
>     realm =
>     netbios name = HH1
>     passdb backend = samba4
>     idmap_ldb:use rfc2307 = yes
>  On the PDC idmap mappings are the same as those in the AD (we have a 
> script that does this when we add e.g. a new group). Even though it 
> works and users and groups are correctly mapped from on eithr DC, we 
> would like the mappings to come from AD rather than idmap. mainly for 
> the sake of maintenance and readability.
> Is there any way we can do this?
> Cheers,
> Steve
Hi Steve,

Now I'm completely confused: In theory idmap_ldb:use rfc2307 = yes would 
free you from having to mess with the idmap.ldb. Just have the correct 
uids/gids in the directory, and they should be picked by samba (maybe 
you are using an older version? support for this is quite recent).



More information about the samba-technical mailing list