[Samba] Samba / LDAP / Idmap

John Drescher drescherjm at gmail.com
Mon Apr 14 13:22:22 GMT 2008

On Sun, Apr 13, 2008 at 10:23 PM, Anand Kumria <wildfire at progsoc.org> wrote:
>  Hi,
>  This is probably documented somewhere very obvious but I do not seem to
>  be able to find it.
>  Many years ago I configured my Samba server with an LDAP backend. I also
>  put in the parameter 'ldap idmap suffix = ou=Idmap' in my smb.conf file
>  too as per:
>  <http://au1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-
>  member.html#id2571568>
>  Amazingly enough I now have to add two more members servers, checking via
>  GQ I see that the ou=Idmap tree is actually empty.
>  Should it be?
>  If not, how can I -- is there a way, even -- have it populated with the
>  existing Idmaps? My users are able to login to their machines perfectly
>  fine (everything is run via LDAP).

For a samba 3.0.28a member server using domain security and  ldap and
winbind enabled I had the same problem a few weeks ago and it ended up
preventing my acls from working correctly. Basically after adding acls
in windows xp they would be removed after applying. There would be an
error in the samba logs. Something like could not allocate a UID or
GID. I checked my ldap and the idmap tree was completely empty. So I
decided to see if I could tell the format of what belongs in there and
if I entered it would that fix the problem. I googled for a while and
found a red hat doc that showed a slapcat with idmap entries. I Then
added the entry for a test user via slapadd and then I added the user
to an acl in windows and clicked accept and it took. So I looked
deeper into the error and I found the two wbinfo allocate calls fail:

# wbinfo --allocate-uid
Could not allocate a uid

# wbinfo --allocate-gid
Could not allocate a gid

but most other wbinfo stuff works ( -u -g -t ...)

So at this point I set my winbind to use tdbsam and then I restarted
samba and sure enough the properties tab of XP worked as expected. At
that point I found a tool that would dump what was in a .tdb file and
I wrote a shell script to populate the ldap with that. I am sorry I am
not more specific but I am not at work and I did this stuff over a
month ago. Anyways after populating the idmap tree from the .tdb file
(in /var/cache/samba/) my acls work in XP for all users and groups
that are in the tree. I switched back to using ldap to store winbind
data because this is by no means the only samba server on our network.


More information about the samba mailing list