[Samba] Configuring idmap for a Samba 3.2.4 AD member server

David Eisner deisner at gmail.com
Mon Nov 10 20:42:06 GMT 2008

I'm hoping somebody can point me to the right documentation for
setting up the following scenario.

Earlier this year I had Samba 3.0.28a working as a member server of a
(Windows Server 2003) AD domain, using Solaris 10 and Heimdal
Kerberos.  I was able to log into the server using AD accounts, getent
passwd worked, etc. I was using "secruity=ads" with these settings
(among other):

    netbios name = MYSMBSRV
    realm = MYDOMAIN.FOO.ORG
    use kerberos keytab = Yes
    idmap domains = MYDOMAIN
    idmap config MYDOMAIN:backend = ad
    idmap config MYDOMAIN:default = yes
    idmap config MYDOMAIN:schema_mode = rfc2307
    idmap config MYDOMAIN:range    = 10000 - 300000000
    idmap alloc backend = tdb
    idmap alloc config:range        = 5000 - 9999
    winbind nss info = rfc2307

It may be that some of this is superfluous but I was fortunate enough
that it worked anyway.

Now I'd like to get the same thing going with Samba 3.2.4.  I'm able
to join the samba server to the domain, and kinit
an_account at MYDOMAIN.FOO.ORG works, but that's about it.  Winbindd eats
up all the CPU on one processor when I start it,  and getent passwd
fails to return any non-local accounts. Wbinfo -u sits for a long time
and then fails with "Error looking up domain users".

Looking at a packet dump, I see about a hojillion repeats of this:

164	5.581492	...	RPC_NETLOGON	DsrEnumerateDomainTrusts request
165	5.581931	...	RPC_NETLOGON	DsrEnumerateDomainTrusts response

My question: Is the following portion of the Official HOWTO up-to-date?


None of it mentions using "idmap config".  I may be mistaken, but I
don't see anything in the HOWTO about using  "idmap config":


Where should I look for definitive, up-to-date instructions for
configuring this with Samba 3.2.4?

Thanks in advance.


David Eisner     http://cradle.brokenglass.com

More information about the samba mailing list