[Samba] Questions about the new idmap interface

simo idra at samba.org
Tue Sep 11 18:31:32 GMT 2007

On Tue, 2007-09-11 at 17:09 +0200, Marc Muehlfeld wrote:
> For me it was very confusing for my trusted domain environment.
> Currently i'm 
> not sure if I really need the two idmap configs. I just have the
> problem that 
> I can't connect from a DOM2 workstation to a share on a MemberServer
> of DOM1. 
>   On this share I setup "valid users = +"DOM1\Group1" +"DOM2\Group2". 
> Connections from DOM1 workstations are fine (if I'm in Group1), but
> not from 
> DOM2 (if I'm member of DOM2\Group2). It seems the group of the remote
> domain 
> is searched inside the LDAP of DOM1 (why isn't winbind just getting
> the 
> information from the responsible DC?).
> [2007/09/11 17:02:57, 5] lib/smbldap.c:smbldap_search_ext(1182)
>    smbldap_search_ext: base => [ou=Groups,dc=dom1,dc=mydomain,dc=de],
> filter 
> => 
> [(&(objectClass=sambaGroupMapping)(|(displayName=TestGroup)(cn=TestGroup)))], 
> scope => [2]
> [2007/09/11 17:02:57, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2235)
>    ldapsam_getgroup: Did not find group 

This specific error is not IDMAP related.
This is smbd trying to find the group in its SAM (which happens to be on
LDAP as well). Are you sure you have a trust with DOM2 ?
If so can you please provide the full file log, as before this call
there may be useful information.


Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org

More information about the samba mailing list