[Samba] Questions about the new idmap interface

simo idra at samba.org
Tue Sep 11 13:40:31 GMT 2007 

On Tue, 2007-09-11 at 14:39 +0200, Marc Muehlfeld wrote:
> Hi,
> 
> I tried to configure the new idmap interface. Currently without much success.
> 
> I have two samba domains, trusting each other. Each PDC using it's own LDAP 
> server. I tried
> 
>          idmap domains = DOM1, DOM2
>          idmap config DOM1:default = yes
>          idmap config DOM1:backend  = ldap
>          idmap config DOM1:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de
>          idmap config DOM1:ldap_url = ldap://192.168.0.1
>          idmap config DOM1:range  = 10000 - 20000
>          idmap alloc backend = ldap
-----------^^^^^^^^^^^^^^^^^^^^^^^^^^
this is not enough, you have to explicitly configure the alloc backend
For example:
  idmap alloc config:ldap_base_dn = ou=Idmap,dc=dom1,dc=mydomain,dc=de
  idmap alloc config:ldap_user_dn = <the privileged user dn>
  idmap alloc config:ldap_url = ldap://192.168.0.1
  idmap alloc config:range = 10000-20000


>          idmap config DOM2:default = no
>          idmap config DOM2:backend = ldap
>          idmap config DOM2:ldap_base_dn = ou=Idmap,dc=dom2,dc=mydomain,dc=de
>          idmap config DOM2:ldap_url = ldap://192.168.1.1
>          idmap config DOM2:range = 10000 - 20000
> 
>          idmap uid = 10000-20000
>          idmap gid = 10000-20000

no need to add these if you use the new options

>          winbind separator = +
>          winbind enum users = yes
>          winbind enum groups = yes
>          template homedir = /home/%U
>          template shell = /bin/false
>          winbind nested groups = yes
>          winbind cache time = 300
>          winbind nss info = template
>          winbind use default domain = yes
> 
> But then I have the problem, that samba used the "ldap admin dn" account and 
> password for both LDAP server, but each have it's own. How can I configure a 
> second password for my trusted domain?

you have to specify the ldap_user_dn option for each domain and the use
net idmap secret

In your case probably

net idmap secret DOM1 <secret1>
net idmap secret alloc <secret1>
net idmap secret DOM2 <secret2>

However if you read the man pages for idamp_ldap you will find all these
informations.

> Is there any usefull documentation, best would be with different samples, of 
> the new idmap interface? The manpage didn't helped me much for understanding this.

Maybe because you didn't read the actually relevant man page:
man idmap_ldap

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org

More information about the samba mailing list