[Samba] samba3: domain member server: user mapping problem (ldap)
schlegel at riege.com
Tue Sep 30 14:16:37 GMT 2003
> > idmap backend = ldap:ldap://leibniz.rsidus.riege.de, and not
> > ^^^^
> > idmap backend = ldapsam:ldap://leibniz.rsidus.riege.de
> > ^^^^^^^
> Thanks, I fixed it in the documentation.
You may change it there as well:
- example §5.3
- §20.1: ( at bootom of page): If idmap backend has been specifies as
The text about using winbind on BDCs and member servers at the end of
paragraph 5.3 would be of great help in paragraph 6.3 as well. ;)
Overall this idmap / winbind thing was merged quite late with the Howto
I suppose, because I did not read it when I set up the PDC / BDC ( about
the time when rc1/rc2 came out ) and the chapter on winbind still seems
to have the winbind 2.2 in mind - overall winbind now seems to be able
to act as a snap in replacement for nss_ldap/pam_ldap, but on the other
hand I tend to stick with the latter in a plain linux server
> > b) am I supposed to use winbind at all? I am already using pam_ldap and
> > nss_ldap on the server. The winbind settings are:
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> > winbind trusted domains only = yes
> > The UIDs/GIDs actually used in LDAP are in between 600 and 3000.
> I figure idmap is not working correctly (or it's supposed to work
> differently as the last time I looked at it..)
> > c) net groupmap still does not list anything.
> 'net groupmap list' does not give any output _at all_ ?
no, it just maps everything to -1:
[root at hilbert samba]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-1454018726-3595976858-1671193852-512) -> -1
Domain Guests (S-1-5-21-1454018726-3595976858-1671193852-514) -> -1
while on the PDC/BDC it is more like this:
[root at leibniz schlegel]# net groupmap list
Domain Admins (S-1-5-21-4157288312-2978303034-1700589767-2201) ->
Domain Users (S-1-5-21-4157288312-2978303034-1700589767-512) -> smbuser
Domain Guests (S-1-5-21-4157288312-2978303034-1700589767-514) -> nobody
develop (S-1-5-21-4157288312-2978303034-1700589767-3013) -> develop
however, wbinfo -g gives output on BDC and member server:
[root at hilbert samba]# wbinfo -g
Maybe net groupmap is not intended / necessary on member servers using
winbind? The SIDs get mapped in a correct way now except for the
> > d) In windows the system still shows the rights as [member
> > server]\username instead of DOMAIN\username.
No hints on this one?
> > e) do I have to adjust the member servers SID? It created it's own one
> > and it is different from the domains SID.
> Have you joined the domain correctly?
definitely. net rpc join, and it succeeded and the PDC added the account
in the ldap tree.
> Each workstation also has it's own
> SID, so that shouldn't be a problem.
This is what I expects, I am just not sure whether the member servers
SID has to partly match the domains SID or something like this.
I think I figured out that my main problem ( d), member server name
instead of domain name in from of the users name ) is gone if I change
the SID of the member server, on the other hand I expect things to get
odd and break if the SID is not unique...
Gunther Schlegel Riege Software International GmbH
Manager System Administration Mollsfeld 10
40670 Meerbusch, Germany
Email: schlegel at riege.de Phone: +49-2159-9148-0
You may grab my GPG key from http://www.keyserver.net .
A nonproportional font is recommended for reading.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030930/8ee04624/attachment.bin
More information about the samba