[Samba] AD domain with SDMS issues & LDAP Idmap backend
letz_samba at realmspace.com
Sun Dec 4 07:45:27 GMT 2005
I'm guessing that you need to add some UNIX schema to AD LDAP, either
Posix schema using AD4Unix or SFU, and then configure IDmap to use that.
The IDMAP should then write to UID and GID to AD LDAP instead of a
separate OpenLDAP solution.
I'm desperately looking for documentation, but I am finding most is to
NT-Domain oriented functionality.
From: samba-bounces+letz_samba=realmspace.com at lists.samba.org
[mailto:samba-bounces+letz_samba=realmspace.com at lists.samba.org] On
Behalf Of Vijay Avarachen
Sent: Tuesday, November 22, 2005 9:29 AM
To: samba at lists.samba.org
Subject: [Samba] AD domain with SDMS issues & LDAP Idmap backend
I have been trying to join a Samba Domain member server to the AD and
LDAP for IDMAP storage. I have run into many strange issues and I was
someone can please take time to clarify things for me. I have read quite
bit (I own both the Samba books by Terpstra) and done a lot of Google
searching. I think part of my problem is the unusual setup I have, as
the examples in the book/net assume user will have a very small AD and
full control of it.
We are a small division and the AD is hosted by our corporate IT. I do
Domain Admin access to our branch of the AD, but not the whole tree. The
entire tree has over 8000+ users.
 Using winbind authenticate users on Linux servers/workstations -
 Using Kerberos so that users are not prompted for login and password
when accessing Domain shares - ACCOMPLISHED but still has some issues.
 Rather than each Linux host maintaining its own idmap db, store
everything on a OpenLDAP server - FAILED
Here is what I have done so far:
 OpenLDAP server with three OU's - People, Groups, Idmap
 Joined a Linux server to AD (net ads join ...)
 Confirmed that I get list of users when I do wbinfo -u (or getent
passwd). - However I do not get ALL the users. As a matter of fact I get
many other domains in AD (ex. SA, EU, AP), but not my own Domain (NA).
anyone know why this would be? Due to this I am unable to test user
since I do not have account access for another domain.
 On the OpenLDAP server there seems to be no change in the Idmap, I
understand why it is not getting populated. If I do a manual ldapsearch,
can access the ldap server and query the directory. I also made sure
the smbpasswd -w <my ldap user password> is correct.
Here is my smb.conf file:
workgroup = NA
netbios name = SPDUSLISHNODE01
realm = NA.NET.MYCOMPANY.COM <http://NA.NET.MYCOMPANY.COM>
server string = Queue Headnode
security = ADS
log level = 1 ads:10 passdb:5 auth:10 winbind:8 sam:10 rpc:10
ldap admin dn = cn=spd.ldapadmin,o=mycompany
ldap idmap suffix = ou=Idmap
ldap suffix = o=mycompany
idmap uid = 150000-550000
idmap gid = 150000-550000
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
encrypt passwords = yes
password server = SPDUSLISDC010
winbind separator = /
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
wins server = 10.55.56.4 <http://10.55.56.4>
name resolve order = wins lmhosts bcast
My krb5.conf file is similar to the one in Samba-Guide (and I knwo this
works since I can join the Linux host to AD directory)
"Knowledge is the only wealth that grows as you spend it, and diminishes
you save it."
-- ancient Sanskrit saying
To unsubscribe from this list go to the following URL and read the
More information about the samba