[Samba] IDMAP difficulties

Thomas Werner werner at esmt.org
Fri Sep 30 18:04:41 GMT 2005 

hi,

can somebody explain, how the idmap backend with ldap works exactly.  
sorry for that stupid questions, but the docu is not clear for me.

http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ 
idmapper.html#id2588292

i understand the idmap topic/difficulty, why i need this, but how the  
ldap get filled with idmap entries? automatically/dynamically if  
winbind is running? or manually/statically if the user created maybe  
"readonly"? or i have to care myself? because if i add

idmap backend = ldap:ldap://ldap1.foo.bla
ldap idmap suffix = ou=idmap
idmap uid = 10000-30000
idmap gid = 10000-30000

on DC nothing happens. the ou is still empty and the ldap log shows  
something like

.......conn=41240 op=36 SRCH base="ou=idmap,...,dc=org" scope=1  
filter="(objectClass=*)"

we have 3 samba domains with trusts over vpn no proplem, but now i  
want to add a samba domain member server. i got only the server  
runing with nss/ldap only. all my unix accounts are in ldap, groups  
too. is it right that i need in the nsswitch.conf the ldap entry too  
and not only "passwd:         files winbind"? i guess, but winbind  
reports allways "group xy not found" if i connect to a share on the  
domain member server.

is it possible to get idmap example configurations (smb.conf), one  
for the samba DC with ldapsam and one for a samba domain member?

if i need to add the entry manually, can somebody explain the  
following objectclasses, maybe with an ldif-file (sambaIdmapEntry and  
sambaUnixIdPool are clear, i guess):

objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top  
STRUCTURAL
         DESC 'Structural Class for a SID'
         MUST ( sambaSID ) )

objectclass ( 1.3.6.1.4.1.7165.1.2.2.10 NAME 'sambaConfig' SUP top  
AUXILIARY
         DESC 'Samba Configuration Section'
         MAY ( description ) )

objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top  
STRUCTURAL
         DESC 'Samba Share Section'
         MUST ( sambaShareName )
         MAY ( description ) )

objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP  
top STRUCTURAL
         DESC 'Samba Configuration Option'
         MUST ( sambaOptionName )
         MAY ( sambaBoolOption $ sambaIntegerOption $  
sambaStringOption $
               sambaStringListoption $ description ) )


objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top  
AUXILIARY
         DESC 'Samba Privilege'
         MUST ( sambaSID )
         MAY ( sambaPrivilegeList ) )

because i need this for our free web based tool, which managed the  
whole network
(www.ideaweb.de/netmc.php)


and now my last questions, is it possible to set up network with the  
following conditions if the idmap tables are on ldap:
the samba DC can allways establish a connection to the ldap, all  
clients and to the samba domain member (additional fileserver).
the clients can reach both server (dc and fileserver) but the  
fileserver can not  establish a connection to the pdc through the  
firewall or to all clients only to the ldap. we want a fileserver  
with webdav/modperl (webdrive) to access the samba files, located in  
an unsafe network (dmz).

many thanks for helping, thomas

sorry for my english =)

More information about the samba mailing list