[Samba] IDMAP: migrating from a single PDC to a PDC and some Member Servers

casfre at gmail.com casfre at gmail.com
Fri Feb 22 20:47:22 GMT 2008


     I am migrating a Samba 3.0.28 ( Slackware 12.0 ) that is a single
PDC, to a PDC with domain members and/or BDC.

    This single PDC is plugged in a central switch and I have a lot of
computer's rooms, in different ethernet segments, all them using
switches and routers to reach this PDC. ( Something like this: PDC ->
central switch -> router -> switch -> workstations )

    Motivations: (1 phase) distribute the load of authentications (2
phase) distribute the load of roaming profiles (3 phase) distribute
the load of home directories.

    I am using  (now) OpenLDAP, smbldap-tools, padl nss_ldap and nscd.
( There are some issues with WXP workstations, but they are for other
email )

    Everybody is authenticating from Windows (WXP) and all my users
are in LDAP. Every user has its own roaming profile and its own home
dir. Everything is in the PDC, that runs smbd and nmbd and nfs for
some Linux workstations.

    Well, rereading the manuals ( official docs ) I have some doubts
about idmap(  for awhile)

    In my situation now ( single one PDC ), I don't need idmap
translation, because Samba will get UID/GID from LDAP and because
there is just one server. Is it right?
    ( this PDC is using values: idmap uid = 10 000-20 000 and idmap
gid 10 000-20 000.

    I have (now) more than 16000 uids in the LDAP database ( some were
excluded ). So, if I need IDMAP, 10 000-20 000 range would be not
enough, right?

    What consequences will result if I change  (now) idmap-uid from
default value to, lets say, 10 000 000 - 20 000 000 ? Will existing
users have problems with their file permissions? I have to change it
(now) ?

    I am stuck. :-|

    To migrate to a PDC/BDC/Domain members or to PDC/Domain members,
will be enough just to set all PDC/BDC/Domain Members to use the same
LDAP database, and all using nss_ldap/nscd, __without__ winbind?

    I mean, all servers will use the same LDAP ( I know I can have
slave LDAP servers). I know I will have to change smb.conf to give to
each server the correct role in the structure. I have already seen
references in the docs about this issue.

    In this context, will I need idmap to translate SID/UID/GID or
using the same LDAP with nss_ldap will be enough?

    I am stuck in it. Could somebody give me some directions to help
me to give the next step?

    Thank you.

Best regards,


More information about the samba mailing list