[Samba] Setting up PDC w/ LDAP

Daniel L. Miller dmiller at amfes.com
Tue May 27 20:49:46 GMT 2008


John H Terpstra wrote:
> On Tuesday 27 May 2008 02:22:15 pm Daniel L. Miller wrote:
>   
>> I've almost got it.  I swear I've almost got it (and I've been doing a
>> lot of swearing lately).
>>     
>
> Swearing does not help much. :-)
>
>   
It does too!  I haven't broken a single keyboard!
>> I re-built my PDC, starting from scratch.  I'm not using the editposix
>> extensions anymore - I'm using the smbldap tools as shown (I think) in
>> the Samba by Example.
>>     
>
> Now that is a really good guide. (Biased opinion of course!) It is a pity that 
> this book is a little out of date.  Someone really should contribute updates 
> to it I guess.
>   
I'd be delighted to - but at the moment it'd be the blind leading the 
totally clueless.
>> I really really thought I did everything right.  Obviously I was wrong.
>>     
>
> Ah, you mean you have been learning to swim. A good start to using Samba.
>   
Unfortunately I still splash far too much without making efficient 
forward progress.  I can go sideways really good though!
>> First question:  under this configuration, do I need winbind at all?
>>     
>
> That depends!  You can probably get away without winbind.  If you do need it, 
> you should update the configuration since winbindd has changed since Samba 
> 3.0.20 - the version the book was last updated for.
>   
Something I haven't seen in print yet - so I'll ask the question.  WHEN 
is the appropriate time to use winbind with PDC's and BDC's?  If the 
only (intended) purpose is for member servers and joining Windows 
NT/2000+ domains - please say so.  The 3.2 Using Samba says "...in the 
majority of cases |winbind| is of primary interest for use with domain 
member servers (DMSs) and domain member clients (DMCs)." - but that's 
not quite the same as, "In an exclusively Samba server environment, with 
a common LDAP backend (replicated or single), winbind offers no 
additional features and in fact can cause problems.  Do NOT use winbind 
in such a configuration."
>> If the answer is yes, second question:
>> wbinfo -t   yields   checking the trust secret via RPC calls succeeded
>> wbinfo -u   yields   Error looking up domain users
>>     
>
> It is no longer possible to use wbinfo on the PDC itself. See Samba Bugzilla 
> bug no. 5453.
>
>   
>> I should also mention that I can't add the built-in or local groups
>> using net.
>>     
>
> Correct. For that you will need the new winbind configuration syntax - you are 
> running 3.0.28 aren't you?  See man idmap_ldap, or man idmap_tdb.
>   
Now I'm more confused.  I'm reviewing those pages - and while I do see 
some other parameters, they say in their absence they will default to 
using the ones I've specified.  I don't see what I'm missing.  I've 
revised to show:

        idmap domains = AMFESLAN.LOCAL
        idmap alloc backend = ldap
        winbind enum users = Yes
        winbind enum groups = Yes
        idmap alloc config:range = 10000-20000
        idmap alloc config:ldap_url = ldap://127.0.0.1
        idmap alloc config:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local
        idmap config AMFESLAN.LOCAL:range = 10000-20000
        idmap config AMFESLAN.LOCAL:ldap_url = ldap://127.0.0.1
        idmap config AMFESLAN.LOCAL:ldap_base_dn = 
ou=idmap,dc=amfeslan,dc=local
        idmap config AMFESLAN.LOCAL:backend = ldap
        idmap config AMFESLAN.LOCAL:default = yes

Functionality and error messages remain the same.
> I hope that helps.
>   
Helps a lot - but I'm needy and greedy and would still appreciate more 
of your insight.


-- 
Daniel


More information about the samba mailing list