[Samba] Re: Need help with IDMAP storage in LDAP using Winbind

Kristof Bruyninckx kristof.bruyninckx at thales-is.com
Fri Sep 30 14:20:02 GMT 2005

So basically the winbind has to be setup as usual, pointing to the PDC,
but instead of storing it's SID/UID/GID locally, it will use the remote
SID-UID/GID mappings stored in the LDAP correct?

For example : 

On a system previously working just with winbind to resolve the SID to
UID/GID locally, I should just change the following to make it use the
remotely stored mappings :

        client system : 

        log level = 6
       workgroup = THALES-IS
       realm = THALES-IS.BE
        server string = Samba Server
       security = ads
       password server =
        username map = /etc/opt/samba/smbusers
        log file = /var/log/samba/smbd.log
        max log size = 50000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        #printcap name = /etc/printcap
        dns proxy = No
        ldap admin dn = uid=samba,ou=Idmap,dc=thales,dc=be            
        ldap idmap suffix = ou= Idmap
        ldap suffix = dc=thales,dc=be
        idmap backend = ldap:ldap://                 #Our
IDMAP LDAP we just setup.
        ldap ssl = no
       idmap uid = 10000-20000
       idmap gid = 10000-20000
        encrypt passwords = yes

        winbind enum users = yes
        winbind enum groups = yes
       template shell = /bin/bash
       winbind separator = /
        winbind cache time = 10
       winbind use default domain = yes
        hosts allow = 192.168.1.

I ran the smbpasswd -w <MyverySecretPassword>, but still when I start
this I see in the smb log,
[2005/09/30 16:04:12, 0] lib/smbldap.c:smbldap_connect_system(751)
  ldap_connect_system: Failed to retrieve password from secrets.tdb
[2005/09/30 16:04:12, 1] lib/smbldap.c:another_ldap_try(951)
  Connection to LDAP server failed for the 3 try

Are there anymore changes I need to do in the ldap.conf on client side?

wbinfo -u , wbinfo -g work, and shows me the users, but when I try
getent passwd, it just says in the logs cannot lookup domain user ... .
But ok when it fails to authenticate this is supposed to be normal.

Also when preforming ID on one of the NIS users, this works nicely. The
link there to the LDAP is working. 

On Fri, 2005-09-30 at 14:31 +0200, paul kölle wrote:

> Kristof Bruyninckx wrote:
> [snipp]
> > But I have one more question, I configured a LDAP client, and on this
> > machine I can see all the normal NIS users, but I don't see any windows
> > users. This might sound stupid but this was what how I expected it to
> > work. Sometimes it takes a while for the brain to catch a clue :).
> ;), if I recall your setup correctly you don't have the windows "users"
> in LDAP. They are comming from AD and nss_winbind makes them available
> for the OS. Idmap provides a means to share SID -> UID mappings across
> multiple servers. Something like:
> > 
> > Now my question would be, how to setup the client, to use the mapping
> > stored into the LDAP server. 
> This largely depends on the definition of "use".
> > If this is possible, since at the moment
> > I'm a bit confused. Do I have to perform this setup on every server to
> > Unify SID to UID/GID mapping. Or how can I use the LDAP server I just
> > setup for this purpose,
> For your samba servers you just point every member server to your
> ou=Idmap, ... branch. You *can* add another LDAP server as slave to add
> redundancy but that's another story.
> grz
>  Paul

Bruyninckx Kristof
Thales Services Division
GNU&Linux/Unix System Administrator / Test developer
Tel: 02/674.76.49.19
kristof.bruyninckx at thales-is.com

More information about the samba mailing list