[Samba] Idmapping problem on member server

Martin Werthmoeller mw at lw-systems.de
Thu Jan 10 15:04:47 GMT 2008 

Dear Samba Users,

I've got a problem with the ID-Mapping at a Samba (3.0.22 / Ubuntu 
Dapper) Setup with an LDAP Backend. I do the following:

1. Access a samba share at a Samba member server from a windows client
2. Set an acl entry for a group of the domain.

The group exists an the LDAP backend as a samba group. But the member 
server will create an idmap-Entry for this group. The acl entry at the 
underlying filesystem will be created with the new created idmap gid.

  If I do the same with a file on a share of the domain controller, 
everything works as expected. On the filesystem, the ACL entry will be 
created with the correct group id.

I look at the ldap logfile and see the following:

The domain controller searches for the goup entry at the LDAP backend. 
It will be found. But the member server searches only for Idmap entries 
at ldap. As it found no entry for the group, it will create an entry.

Where is my configuration-mistake?

* global section of smb.conf on DC


[global]
     workgroup = LWLAB

     domain logons = yes
     domain master = yes
     preferred master = yes
     security = user

     passdb backend = ldapsam:ldap://127.0.0.1
     ldap suffix = dc=lwlab,dc=de
     ldap admin dn = cn=sambaadmin,dc=lwlab,dc=de
     ldap user suffix = ou=Users
     ldap group suffix = ou=Groups
     ldap machine suffix = ou=Computers
     ldap idmap suffix = ou=Idmap
     #ldap idmap suffix = ou=Users
     ldap passwd sync = yes
     ldap delete dn = Yes

     obey pam restrictions = no

     idmap backend = ldap:ldap://192.168.5.11
     idmap uid = 15000-20000
     idmap gid = 15000-20000

     passwd program = /usr/sbin/smbldap-passwd %u
     passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
*all*authentication*tokens*updated*
     add user script = /usr/sbin/smbldap-useradd -m "%u"
     delete user script = /usr/sbin/smbldap-userdel "%u"
     add machine script = /usr/sbin/smbldap-useradd -w "%u"
     add group script = /usr/sbin/smbldap-groupadd -p "%g"
     delete group script = /usr/sbin/smbldap-groupdel "%g"
     add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
     delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
     set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

     wins support = yes




* global section of smb.conf on member server

[global]
     workgroup = LWLAB
     netbios name = fileserv
     security = domain

     wins server = 192.168.5.11
     password server = 192.168.5.11

     ldap suffix = dc=lwlab,dc=de
     ldap admin dn = cn=sambaadmin,dc=lwlab,dc=de
     ldap user suffix = ou=Users
     ldap group suffix = ou=Groups
     ldap machine suffix = ou=Computers

     idmap backend = ldap:ldap://192.168.5.11
     ldap idmap suffix = ou=Idmap
     idmap uid = 15000-20000
     idmap gid = 15000-20000


Best regards,
Martin Werthmoeller

More information about the samba mailing list