[Samba] Problem with ADS idmap backend
David Eisner
deisner at gmail.com
Tue Mar 11 14:55:06 GMT 2008
On Tue, Mar 11, 2008 at 7:14 AM, Douglas VanLeuven <roamdad at sonic.net> wrote:
> If you're running nscd, you have to restart that as well.
Nope, not running nscd.
> The only thing I picked up from that paper is to add an allocation range
> for samba's BUILTIN users and groups.
>
> idmap alloc backend = tdb
> idmap alloc config:range = 50000-50999
>
> If you do that, you end up with a file called idmap_cache.tdb that would
> have to be cleared manually.
Added
idmap alloc backend = tdb
idmap alloc config:range = 5000 - 9999
No change.
> I took a good look at the differences between our files and I'm not using
>
> winbind use default domain = yes
> winbind nested groups = yes
>
> but I wouldn't think that would make a difference. The configuration
> looks good.
Made those changes, too, but again, nothing doing.
> Still, if all else fails - from source/nsswitch/idmap_ad.c in funtion
> idmap_ad_init(void) each method is checked in turn: rfc2307, sfu, and
> sfu20. Once the status is OK, the remaining checks are skipped. If
> rfc2307 is initializing OK ...
I changed the order of the sfu and rfc2307 check as you suggested,
recompiled, but again, nope.
My read of that code is that each of the idmap plugins is registered
in turn until/if the first one fails. That is, once that status is
*not* OK (note the ! ), the remaining checks are skipped and it
returns the failed status code.
I'm going to continue to look through the code. I've also turned on
some NTDS debugging flags to see what I come up with.
Thanks again for your help, I really appreciate it.
-David
--
David Eisner http://cradle.brokenglass.com
More information about the samba
mailing list