[Samba] Re: AD domain with SDMS issues & LDAP Idmap backend

Vijay Avarachen vavarachen at gmail.com
Tue Nov 22 21:35:00 GMT 2005

Ok WTF... idmap is getting populated in OpenLDAP now. :-) I just took a sh*t
load of time....and turns out I was wrong about the headcount in AD, its not
8000+ its close to 40,000+ YIKES! Also I noticed that there are some errors
in the Samba-3 By Example book. On page 235 (
<>section - IDMAP Storage in LDAP using Winbind) , it
tells you to set passwd,
shadow and group in /etc/nsswitch.conf to "file ldap". It should really be
"files winbind ldap". Or else when you do getent passwd/group, its not gonna
see those entries from winbind.

Does anyone know if its safe to turn on nscd cause I don't want the ldap
server getting pounded.


Vijay Avarachen

On 11/22/05, Vijay Avarachen <vavarachen at gmail.com> wrote:
> Hi,
> I have been trying to join a Samba Domain member server to the AD and use
> LDAP for IDMAP storage. I have run into many strange issues and I was hoping
> someone can please take time to clarify things for me. I have read quite a
> bit (I own both the Samba books by Terpstra) and done a lot of Google
> searching. I think part of my problem is the unusual setup I have, as all
> the examples in the book/net assume user will have a very small AD and have
> full control of it.
> We are a small division and the AD is hosted by our corporate IT. I do
> have Domain Admin access to our branch of the AD, but not the whole tree.
> The entire tree has over 8000+ users.
> My goals:
> [1] Using winbind authenticate users on Linux servers/workstations -
> [2] Using Kerberos so that users are not prompted for login and password
> when accessing Domain shares - ACCOMPLISHED but still has some issues.
> [3] Rather than each Linux host maintaining its own idmap db, store
> everything on a OpenLDAP server - FAILED
> Here is what I have done so far:
> [1] OpenLDAP server with three OU's - People, Groups, Idmap
> [2] Joined a Linux server to AD (net ads join ...)
> [3] Confirmed that I get list of users when I do wbinfo -u (or getent
> passwd). - However I do not get ALL the users. As a matter of fact I get
> many other domains in AD (ex. SA, EU, AP), but not my own Domain (NA). Does
> anyone know why this would be? Due to this I am unable to test user login,
> since I do not have account access for another domain.
> [4] On the OpenLDAP server there seems to be no change in the Idmap, I
> don't understand why it is not getting populated. If I do a manual
> ldapsearch, I can access the ldap server and query the directory. I also
> made sure that the smbpasswd -w <my ldap user password> is correct.
> Here is my smb.conf file:
> [global]
> workgroup = NA
> netbios name = SPDUSLISHNODE01
> server string = Queue Headnode
> security = ADS
> log level = 1 ads:10 passdb:5 auth:10 winbind:8 sam:10 rpc:10
> ldap admin dn = cn=spd.ldapadmin,o=mycompany
> ldap idmap suffix = ou=Idmap
> ldap suffix = o=mycompany
> idmap uid = 150000-550000
> idmap gid = 150000-550000
> template shell = /bin/bash
> template homedir = /home/%U
> winbind use default domain = yes
> encrypt passwords = yes
> password server = SPDUSLISDC010
> winbind separator = /
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> dns proxy = no
> wins server = <>
> name resolve order = wins lmhosts bcast
> My krb5.conf file is similar to the one in Samba-Guide (and I knwo this
> works since I can join the Linux host to AD directory)
> Thanks,
> Vijay Avarachen
> --
> "Knowledge is the only wealth that grows as you spend it, and diminishes
> as you save it."
> -- ancient Sanskrit saying

"Knowledge is the only wealth that grows as you spend it, and diminishes as
you save it."
-- ancient Sanskrit saying

More information about the samba mailing list