[Samba] IDMAP difficulties

Thomas Werner werner at esmt.org
Fri Sep 30 18:04:41 GMT 2005


can somebody explain, how the idmap backend with ldap works exactly.  
sorry for that stupid questions, but the docu is not clear for me.


i understand the idmap topic/difficulty, why i need this, but how the  
ldap get filled with idmap entries? automatically/dynamically if  
winbind is running? or manually/statically if the user created maybe  
"readonly"? or i have to care myself? because if i add

idmap backend = ldap:ldap://ldap1.foo.bla
ldap idmap suffix = ou=idmap
idmap uid = 10000-30000
idmap gid = 10000-30000

on DC nothing happens. the ou is still empty and the ldap log shows  
something like

.......conn=41240 op=36 SRCH base="ou=idmap,...,dc=org" scope=1  

we have 3 samba domains with trusts over vpn no proplem, but now i  
want to add a samba domain member server. i got only the server  
runing with nss/ldap only. all my unix accounts are in ldap, groups  
too. is it right that i need in the nsswitch.conf the ldap entry too  
and not only "passwd:         files winbind"? i guess, but winbind  
reports allways "group xy not found" if i connect to a share on the  
domain member server.

is it possible to get idmap example configurations (smb.conf), one  
for the samba DC with ldapsam and one for a samba domain member?

if i need to add the entry manually, can somebody explain the  
following objectclasses, maybe with an ldif-file (sambaIdmapEntry and  
sambaUnixIdPool are clear, i guess):

objectclass ( NAME 'sambaSidEntry' SUP top  
         DESC 'Structural Class for a SID'
         MUST ( sambaSID ) )

objectclass ( NAME 'sambaConfig' SUP top  
         DESC 'Samba Configuration Section'
         MAY ( description ) )

objectclass ( NAME 'sambaShare' SUP top  
         DESC 'Samba Share Section'
         MUST ( sambaShareName )
         MAY ( description ) )

objectclass ( NAME 'sambaConfigOption' SUP  
         DESC 'Samba Configuration Option'
         MUST ( sambaOptionName )
         MAY ( sambaBoolOption $ sambaIntegerOption $  
sambaStringOption $
               sambaStringListoption $ description ) )

objectclass ( NAME 'sambaPrivilege' SUP top  
         DESC 'Samba Privilege'
         MUST ( sambaSID )
         MAY ( sambaPrivilegeList ) )

because i need this for our free web based tool, which managed the  
whole network

and now my last questions, is it possible to set up network with the  
following conditions if the idmap tables are on ldap:
the samba DC can allways establish a connection to the ldap, all  
clients and to the samba domain member (additional fileserver).
the clients can reach both server (dc and fileserver) but the  
fileserver can not  establish a connection to the pdc through the  
firewall or to all clients only to the ldap. we want a fileserver  
with webdav/modperl (webdrive) to access the samba files, located in  
an unsafe network (dmz).

many thanks for helping, thomas

sorry for my english =)

More information about the samba mailing list