[Samba] IDMAP difficulties
werner at esmt.org
Fri Sep 30 18:04:41 GMT 2005
can somebody explain, how the idmap backend with ldap works exactly.
sorry for that stupid questions, but the docu is not clear for me.
i understand the idmap topic/difficulty, why i need this, but how the
ldap get filled with idmap entries? automatically/dynamically if
winbind is running? or manually/statically if the user created maybe
"readonly"? or i have to care myself? because if i add
idmap backend = ldap:ldap://ldap1.foo.bla
ldap idmap suffix = ou=idmap
idmap uid = 10000-30000
idmap gid = 10000-30000
on DC nothing happens. the ou is still empty and the ldap log shows
.......conn=41240 op=36 SRCH base="ou=idmap,...,dc=org" scope=1
we have 3 samba domains with trusts over vpn no proplem, but now i
want to add a samba domain member server. i got only the server
runing with nss/ldap only. all my unix accounts are in ldap, groups
too. is it right that i need in the nsswitch.conf the ldap entry too
and not only "passwd: files winbind"? i guess, but winbind
reports allways "group xy not found" if i connect to a share on the
domain member server.
is it possible to get idmap example configurations (smb.conf), one
for the samba DC with ldapsam and one for a samba domain member?
if i need to add the entry manually, can somebody explain the
following objectclasses, maybe with an ldif-file (sambaIdmapEntry and
sambaUnixIdPool are clear, i guess):
objectclass ( 188.8.131.52.4.1.7184.108.40.206 NAME 'sambaSidEntry' SUP top
DESC 'Structural Class for a SID'
MUST ( sambaSID ) )
objectclass ( 220.127.116.11.4.1.718.104.22.168.10 NAME 'sambaConfig' SUP top
DESC 'Samba Configuration Section'
MAY ( description ) )
objectclass ( 22.214.171.124.4.1.7126.96.36.199 NAME 'sambaShare' SUP top
DESC 'Samba Share Section'
MUST ( sambaShareName )
MAY ( description ) )
objectclass ( 188.8.131.52.4.1.7184.108.40.206 NAME 'sambaConfigOption' SUP
DESC 'Samba Configuration Option'
MUST ( sambaOptionName )
MAY ( sambaBoolOption $ sambaIntegerOption $
sambaStringListoption $ description ) )
objectclass ( 220.127.116.11.4.1.718.104.22.168 NAME 'sambaPrivilege' SUP top
DESC 'Samba Privilege'
MUST ( sambaSID )
MAY ( sambaPrivilegeList ) )
because i need this for our free web based tool, which managed the
and now my last questions, is it possible to set up network with the
following conditions if the idmap tables are on ldap:
the samba DC can allways establish a connection to the ldap, all
clients and to the samba domain member (additional fileserver).
the clients can reach both server (dc and fileserver) but the
fileserver can not establish a connection to the pdc through the
firewall or to all clients only to the ldap. we want a fileserver
with webdav/modperl (webdrive) to access the samba files, located in
an unsafe network (dmz).
many thanks for helping, thomas
sorry for my english =)
More information about the samba