[Samba] Re: Need help with IDMAP storage in LDAP using Winbind

Kristof Bruyninckx kristof.bruyninckx at thales-is.com
Fri Sep 30 11:10:46 GMT 2005


On Thu, 2005-09-29 at 17:36 +0200, paul kölle wrote:

> Kristof Bruyninckx wrote:
> > But still there are some new problems that popped up. wbinfo -u ,wbinfo
> > -g and wbinfo -t still work.
> > Also getent passwd works, and shows me all the windows accounts, but it
> > is very slow, when starting this command the LDAP starts pumping a lot
> > of messages into /var/log/message, this in it self is not a real problem
> > since the debugging is turned to maximum.
> logging slows things down, additionally you might consider adding
> indexes for the relevant attributes to slapd.conf, shut down the ldap
> server run slapindex and start again.

It was indeed the logging which was slowing me down so badly, turned of
debugging and the system is very responsive now.

> > But even do getent passwd is working, I cannot perform id
> > <Windows.Usename>
> Hmm, I'd expect id should work for root as soon as getent works for
> root. Stop nscd if running. I'm sure you alread red this:
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
>  nor login as that user.
> You have set up pam_winbind have you?
> > ldapsearch -x -b 'dc=thales,dc=be' '(objectclass=*)' also doesn't show me any entry, and
> > if I'm not mistaken it should display everything.
> No, this is an anonymous search and your ACLs do not grant anonymous
> read access. I don't know if that is a problem for nss_winbind though,
> try changing your last ACL to:

Also is no longer giving me any problems, and displays all the users.

> access to *
>     by  dn.base="uid=samba,ou=Idmap,dc=thales,dc=be" write
>     by self write
>     by users read
>     by * read
> If that helps you will have to investigate which component uses
> anonymous binds and if that can be changed.
> cheers
>  Paul

But I have one more question, I configured a LDAP client, and on this
machine I can see all the normal NIS users, but I don't see any windows
users. This might sound stupid but this was what how I expected it to
work. Sometimes it takes a while for the brain to catch a clue :).

Now my question would be, how to setup the client, to use the mapping
stored into the LDAP server. If this is possible, since at the moment
I'm a bit confused. Do I have to perform this setup on every server to
Unify SID to UID/GID mapping. Or how can I use the LDAP server I just
setup for this purpose, sorry if this question is well documented
somewhere, but I haven't found anything yet, maybe because I was asking
the wrong questions.


Bruyninckx Kristof
Thales Services Division
GNU&Linux/Unix System Administrator / Test developer
Tel: 02/674.76.49.19
kristof.bruyninckx at thales-is.com

More information about the samba mailing list