Samba4: idmap replication between 2 DC's

steve steve at
Thu Jul 12 01:10:22 MDT 2012

On 12/07/12 08:02, Gémes Géza wrote:
> 2012-07-12 07:46 keltezéssel, steve írta:
>> On 11/07/12 23:45, Gémes Géza wrote:
>>> 2012-07-11 21:44 keltezéssel, steve írta:
>>>> On 11/07/12 21:23, Gémes Géza wrote:
>>>>> 2012-07-11 10:58 keltezéssel, steve írta:
>>>>>> Hi
>>>>>> Is it possible to get idmap.ldb replicated across 2 DC's as well as
>>>>>> the directory partitions?
>>>>>> I make changes to id mappings for our Linux users. This is not a
>>>>>> problem with NFS, but becomes an issue when Linux users are
>>>>>> working on
>>>>>> cifs mounted shares. The uidNumber issued by DC2 is not the same as
>>>>>> the uidNumber issued by DC1.
>>>>>> Cheers,
>>>>>> Steve
>>>>> Hi Steve,
>>>>> If you put
>>>>> idmap_ldb:use rfc2307 = yes
>>>>> in your smb.conf then setting the uids gids in AD will guarantee that
>>>>> they are the same across your samba4/s3fs servers, because then they
>>>>> will get that from AD instead of their private idmap (with a fail-back
>>>>> to idmap, if the entry has no uid/gid set).
>>>>> Regards
>>>>> Geza
>>>> Hi Geza
>>>> I don't think
>>>>  idmap_ldb:use rfc2307 = yes
>>>> works in Samba4 with s3fs
>>>> It doesn't appear as an option in
>>>>  testparm -v either
>>>> It doesn't have any effect here even though we store all our rfc2307
>>>> information in the directory.
>>>> Quote from the other thread:
>>>> 's3fs and the Samba4 DC use a different winbindd implementation to the
>>>> one that Christof is patching.  For that reason, these patches simply
>>>> won't have any benefit for you on the Samba4 DC.
>>>> Cheers
>>>> Andrew Bartlett'
>>>> Geza, does it work for you?
>>> Yes, but my test domain was upgraded from samba3 in which case the
>>> provision automatically puts idmap_ldb:use rfc2307 = yes in smb.conf
>>> I don't know s3fs where does sid<->xid operations, but with wbinfo I've
>>> checked and the information is retrieved from AD.
>>> Regards
>>> Geza
>> Hi Geza.
>> That's frustrating. We are not using winbindd (but are using winbind
>> if you see what I mean). Is there anything else you have in smb.conf
>> that would affect this? Our nsswitch settings are:
>> passwd: files ldap
>> group: files ldap
>> and our smb.conf is:
>> [global]
>>     server role = domain controller
>>     workgroup = MARINA
>>     realm =
>>     netbios name = HH1
>>     passdb backend = samba4
>>     idmap_ldb:use rfc2307 = yes
>>  On the PDC idmap mappings are the same as those in the AD (we have a
>> script that does this when we add e.g. a new group). Even though it
>> works and users and groups are correctly mapped from on eithr DC, we
>> would like the mappings to come from AD rather than idmap. mainly for
>> the sake of maintenance and readability.
>> Is there any way we can do this?
>> Cheers,
>> Steve
> Hi Steve,
> Now I'm completely confused: In theory idmap_ldb:use rfc2307 = yes would
> free you from having to mess with the idmap.ldb. Just have the correct
> uids/gids in the directory, and they should be picked by samba (maybe
> you are using an older version? support for this is quite recent).
> Regards
> Geza

Hi Geza
So am I. Andrew's comment about
  idmap_ldb:use rfc2307 = yes
not applying to s3fs with AD (see above) makes it even more confusing.

I'm not using an older version, this is a git from a few days ago.

Geza, from your coders pov, does the code suggest that it _does_ work 
with s3fs and AD?

All our rfc2307 attributes and classes are stored in AD. nss-ldapd pulls 
them out fine for Linux NFS clients. However, despite having 
idmap_ldb:use rfc2307 = yes in smb.conf, wbinfo -i user still shows 
what's in idmap.

On our PDC we have scripts which change the gidNumber for newly created 
groups. The script changes both the idmap xidNumber and AD gidNumber. On 
a replicated second DC also with idmap_ldb:use rfc2307 = yes, the 
gidNumber is _not_ coming from AD, only from idmap.

Is there any way we can confir what should happen?

More information about the samba-technical mailing list