[Samba] samba3: domain member server: user mapping problem (ldap)

Jelmer Vernooij jelmer at vernstok.nl
Mon Sep 29 15:08:14 GMT 2003

On Mon, 2003-09-29 at 17:04, Gunther Schlegel wrote:
> Hi,
> I have noticed a strange behavior regarding samba 3 domain member
> servers:
> I have a LDAP based Samba3 PDC + BDC setup running and want to add a
> third machine as "Domain member server" (name: HILBERT ). 
> Problem:
> When I look up the file ownership from a W2K Workstation Client both PDC
> and BDC show the owners account to be a domain account: 
> e.g.: DOMAIN\schlegel
> Hilbert behaves differently. It shows local users and mapped group in
> the form:
> HILBERT\[local user on hilbert|centrally mapped group]
> and ldap-users like this:
> HILBERT\(the Users SID)
> I expect it to at least show mapped groups and ldap users in the form
> DOMAIN\username.
> I am also not quite sure whether I should run the server in "domain" or
> "user" security mode, but I found out I have to use the LDAP backend to
> get the central group mapping. I also found out that both setups work
> and that the domain setup is talking to the PDC while the user setup
> does not. This is like I expected it.
> However, the behavior regarding hostname vs. domainname is the same.
> nss_ldap + pam_ldap work fine, the UIDs are mapped on the OS level.
> Environment software is openldap 2.1.22, nss_ldap 202, RedHat 9.

Hi Gunther, 

You should set 'security = domain' (that way, the user and group lists
are retrieved from the PDC), no 'passdb backend'. Though 'idmap backend'
should be set (SID-to-UID and SID-to-GID mappings can't be retrieved
from the PDC).


Jelmer Vernooij  - http://jelmer.vernstok.nl/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030929/27458afe/attachment.bin

More information about the samba mailing list