[Samba] How do I get Winbind accounts in LDAP?

John H Terpstra jht at samba.org
Sat Jan 3 23:54:03 GMT 2004


Did you create the container for the ou=Idmap in your LDAP database?
The IDMAP entries are automatically added to LDAP - IF the container
exists, and so long as Samba can access that database.

Also, I suggest you store your machine accounts in the Users container
and not in the Computers container. Samba does not at this time search the
Computers container correctly.

Execute the following to find out if your LDAP database has an IDMAP
	slapcat | grep -i IDMAP

If nothing is returned, execute this:

ldapadd -x -D "cn=admin,dc=tow,dc=net" -w 'password' << EOR
dn: ou=Idmap,dc=abmas,dc=biz
objectClass: organizationalunit
ou: idmap
structuralObjectClass: organizationalunit

Now you must stop samba, delete the winbind*tdb files, restart samba,
	wbinfo -u
And that should automatically populate your LDAP IDMAP database.

John T.

On Sat, 3 Jan 2004, Kent L. Nasveschuk wrote:

> I've seen this posting before but I need to get a grasp on this. I am
> using winbindd for users that don't have a local account on a Linux box.
> I thought that placing the entries below in the smb.conf would create
> users in ou=Idmap. Instead the ou=Idmap increments the uidNumber with
> every user that is added,but the user ID mappings are stored in
> /usr/local/var/locks/winbindd_idmap.tdb. What entry in smb.conf will
> change this. These are the applicable portions of smb.conf.
>         ldap suffix = dc=tow,dc=net
>         ldap machine suffix = ou=Computers
>         ldap user suffix = ou=Users
>         ldap group suffix = ou=Groups
>         ldap admin dn = cn=admin,dc=tow,dc=net
>         ldap ssl = no
>         idmap backend = ldap:ldap://
>         ldap idmap suffix = ou=Idmap
>         winbind separator = +
>         idmap uid = 40000-50000
>         idmap gid = 40000-50000
>         winbind enum users = yes
>         winbind enum groups = yes
>         template homedir = /accounts/default/%D/%U
>         template shell = /bin/bash
>         winbind use default domain = yes
>         winbind cache time = 15
>         obey pam restrictions = yes
> So I use wbinfo -c <username>. This returns a RID number. User can now
> login or use smbclient -L localhost -U <username> <password> and get
> available shares on this BDC. In LDAP directory is incremented by 1, but
> there are no entries.
> How do I move the entries that are stored in
> /usr/local/var/locks/winbindd_idmap.tdb to the LDAP directory?
> What I've omitted in all this is that pam and pam_winbind is setup
> correctly, which I believe it is.

John H Terpstra
Email: jht at samba.org

More information about the samba mailing list