[Samba] Re: Need help with IDMAP storage in LDAP using Winbind

paul kölle paul at subsignal.org
Thu Sep 29 15:36:38 GMT 2005

Kristof Bruyninckx wrote:
> But still there are some new problems that popped up. wbinfo -u ,wbinfo
> -g and wbinfo -t still work.
> Also getent passwd works, and shows me all the windows accounts, but it
> is very slow, when starting this command the LDAP starts pumping a lot
> of messages into /var/log/message, this in it self is not a real problem
> since the debugging is turned to maximum.
logging slows things down, additionally you might consider adding
indexes for the relevant attributes to slapd.conf, shut down the ldap
server run slapindex and start again.

> But even do getent passwd is working, I cannot perform id
> <Windows.Usename>
Hmm, I'd expect id should work for root as soon as getent works for
root. Stop nscd if running. I'm sure you alread red this:

 nor login as that user.
You have set up pam_winbind have you?

> ldapsearch -x -b 'dc=thales,dc=be' '(objectclass=*)' also doesn't show me any entry, and
> if I'm not mistaken it should display everything.
No, this is an anonymous search and your ACLs do not grant anonymous
read access. I don't know if that is a problem for nss_winbind though,
try changing your last ACL to:

access to *
    by  dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
    by self write
    by users read
    by * read

If that helps you will have to investigate which component uses
anonymous binds and if that can be changed.


More information about the samba mailing list