[Samba] samba3: domain member server: user mapping problem (ldap)

Gunther Schlegel schlegel at riege.com
Tue Sep 30 10:27:18 GMT 2003

Hi Jelmer,

thanks for your message.

> You should set 'security = domain' (that way, the user and group lists
> are retrieved from the PDC), no 'passdb backend'. Though 'idmap backend'
> should be set (SID-to-UID and SID-to-GID mappings can't be retrieved
> from the PDC).

This is in fact the first configuration I tried because it seemed to be
the "natural" solution. 

I still have some questions and hope you can help me again:

a) I had to use winbind to get any use of the passdb backend setting.
However, in opposite to the HowTo Collection §10.2.3 / Example table
10.1 the line in smb.conf had to be 

idmap backend  = ldap:ldap://leibniz.rsidus.riege.de, and not

idmap backend  = ldapsam:ldap://leibniz.rsidus.riege.de

b) am I supposed to use winbind at all? I am already using pam_ldap and
nss_ldap on the server. The winbind settings are:

idmap uid = 10000-20000
idmap gid = 10000-20000
winbind trusted domains only = yes

The UIDs/GIDs actually used in LDAP are in between 600 and 3000.

c) net groupmap still does not list anything.

d) In windows the system still shows the rights as [member
server]\username instead of DOMAIN\username. 

e) do I have to adjust the member servers SID? It created it's own one
and it is different from the domains SID. 

regards, Gunther

Gunther Schlegel                    Riege Software International GmbH
Manager System Administration                            Mollsfeld 10
                                             40670 Meerbusch, Germany
Email: schlegel at riege.de                      Phone: +49-2159-9148-0
                                              Fax:   +49-2159-9148-11

You may grab my GPG key from http://www.keyserver.net .
A nonproportional font is recommended for reading.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030930/deae2db4/attachment.bin

More information about the samba mailing list