[Samba] AD domain with SDMS issues & LDAP Idmap backend

Vijay Avarachen vavarachen at gmail.com
Tue Nov 22 17:28:30 GMT 2005

I have been trying to join a Samba Domain member server to the AD and use
LDAP for IDMAP storage. I have run into many strange issues and I was hoping
someone can please take time to clarify things for me. I have read quite a
bit (I own both the Samba books by Terpstra) and done a lot of Google
searching. I think part of my problem is the unusual setup I have, as all
the examples in the book/net assume user will have a very small AD and have
full control of it.

We are a small division and the AD is hosted by our corporate IT. I do have
Domain Admin access to our branch of the AD, but not the whole tree. The
entire tree has over 8000+ users.

My goals:
[1] Using winbind authenticate users on Linux servers/workstations -
[2] Using Kerberos so that users are not prompted for login and password
when accessing Domain shares - ACCOMPLISHED but still has some issues.
[3] Rather than each Linux host maintaining its own idmap db, store
everything on a OpenLDAP server - FAILED

Here is what I have done so far:
[1] OpenLDAP server with three OU's - People, Groups, Idmap
[2] Joined a Linux server to AD (net ads join ...)
[3] Confirmed that I get list of users when I do wbinfo -u (or getent
passwd). - However I do not get ALL the users. As a matter of fact I get
many other domains in AD (ex. SA, EU, AP), but not my own Domain (NA). Does
anyone know why this would be? Due to this I am unable to test user login,
since I do not have account access for another domain.
[4] On the OpenLDAP server there seems to be no change in the Idmap, I don't
understand why it is not getting populated. If I do a manual ldapsearch, I
can access the ldap server and query the directory. I also made sure that
the smbpasswd -w <my ldap user password> is correct.

Here is my smb.conf file:
workgroup = NA
netbios name = SPDUSLISHNODE01
server string = Queue Headnode
security = ADS
log level = 1 ads:10 passdb:5 auth:10 winbind:8 sam:10 rpc:10
ldap admin dn = cn=spd.ldapadmin,o=mycompany
ldap idmap suffix = ou=Idmap
ldap suffix = o=mycompany
idmap uid = 150000-550000
idmap gid = 150000-550000
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
encrypt passwords = yes
password server = SPDUSLISDC010
winbind separator = /
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
wins server = <>
name resolve order = wins lmhosts bcast

My krb5.conf file is similar to the one in Samba-Guide (and I knwo this
works since I can join the Linux host to AD directory)

Vijay Avarachen

"Knowledge is the only wealth that grows as you spend it, and diminishes as
you save it."
-- ancient Sanskrit saying

More information about the samba mailing list