[Samba] Multiple Clients, Winbind and idmap in LDAP, documentation incorrect?

Erik Forsberg forsberg at cendio.se
Wed May 17 13:15:33 GMT 2006


I have a setup with several Linux machines running
samba-3.0.22-10.1.17 (from SuSE 10 OSS), authenticating against an
AD. Since one of the machines is exporting an NFS share mounted by
the rest of the machines, I need SID <-> uid/gid mapping to be shared
between all Linux machines, which led me into using an OpenLDAP server
as idmap backend. My smb.conf is found at the end of this mail.

I got this working, but several questions were raised during

*) The documentation, more specifically chapter 13 in the official
 howto, doesn't seem to cover this kind of setup. Both "IDMAP Storage
 in LDAP Using Winbind" and "IDMAP and NSS Using LDAP from ADS with
 RFC2307bis Schema Extension" talks about using nss_ldap to fetch
 account information.

 This doesn't work very well in my kind of setup, for several
 reasons. First, the LDAP database isn't populated with all users
 automatically, but only "on demand". You have to ask for a user via
 NSS in order to populate the idmap with that user's SID <-> uid/gid
 mapping. Also, since there is no posixAccount/posixGroup information
 added, nss_ldap won't find any users. 

 Either the documentation is not written for my kind of setup, or it's
 just plain wrong. I'm a little bit confused on what kind of setup the
 documentation in question is written for.

*) Even though I use ldap as idmap backend, it seems like
 /var/lib/samba/winbind_idmap.tdb is still used. Running 'net idmap
 dump /var/lib/samba/winbindd_idmap.tdb' reveals that entries that I've
 asked for with 'getent passwd <username>' or 'getent group
 <groupname>' are stored in the .tdb. Is this intended behaviour, and
 if so, why? 

 If I for some reason decide I want to wipe out my entire idmap
 mapping, do I have to remove not only the data in LDAP, but also the
 winbindd_idmap.tdb on each server?

*) Mapping of numerical user id to username and numerical group id to
 groupname seems to work only for users/groups that have been asked
 for using the username as key in NSS on the same server. This is
 confusing in my setup, since one of the machines is exporting an NFS
 share with home directories to the other machines.

 For example, if a user has been logged in to machine1 but not to
 machine2, doing an 'ls /home' on machine2 will not list the username
 owning the home directory of the user, but instead the numerical id
 of the user. 

 In this case, I would expect winbind to try to search the LDAP
 backend for the uidNumber, find the SID added when the user logged in
 to machine1, and then lookup the username in the AD. Perhaps there's
 a good reason this doesn't happen?

-- begin smb.conf --
        idmap uid = 10000-50000
        idmap gid = 10000-50000
        template shell = /bin/bash
        winbind separator = +
        winbind use default domain = true
        winbind enum groups = yes
        winbind enum users = yes
        workgroup = UTB
        security = ads
        realm = utb.example.com
        password server = *
        wins server =
#       client use spnego = yes
        encrypt passwords = yes
#       client schannel = no
#       disable netbios = yes

idmap backend = ldap:ldap://tl1.utb.example.com
ldap admin dn = cn=manager,ou=idmap
ldap suffix = ou=idmap
-- end smb.conf --

Erik Forsberg                OpenSource-based Thin Client Technology
Systems Analyst/Developer    Phone: +46-13-21 46 00    
Cendio AB    	             Web: http://www.cendio.com

More information about the samba mailing list