[Samba] Idmap + LDAP + winbind: our first BDC - doubts about idmap ranges and winbbindd + Idmap dn

John H Terpstra jht at samba.org
Wed Feb 4 03:20:12 GMT 2009

On Tuesday 03 February 2009 19:53:35 casfre at gmail.com wrote:
> Hi,
>     My doubt is about Idmap + LDAP + winbind, related do BDC + PDC. We
> are using Samba 3.0.33 (Slackware 12.0.0).
>     Our layout is almost like this one
> http://us1.samba.org/samba/docs/man/Samba-Guide/images/chap6-net.png,
> but we have more BLDGn than this example.

OK. When I wrote that chapter I reduced the number of sites.  I have installed 
Samba 3.0.x in one company that had 11 sites - when you get a two site 
installation working correctly the others are just copies of the second one.

>     Actually, we are taking ideas from
> http://us1.samba.org/samba/docs/man/Samba-Guide/happy.html
> and from
> http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html.


>     We are reading the docs again, but I would like to clarify some
> points, if possible, to understand "the picture".

I'll try to answer.

>     We have never had a BDC before. Winbindd is not running in our
> PDC. We want a BDC to divide the authentication load with our PDC.

With Samba 3.0.x the use of winbind is not imperative. You can run without it.

> Initially, we will install just one BDC. We have been using Samba +
> LDAP (with SSL)+ smbldaptools since the begining so, our users (people
> and machines) are all in the LDAP base. In the future, if the results
> were good, we will install more BDCs, using the same logic.

That's OK. Take it slowly, add on BDC at a time, that way you will be better 
able to see what is going on.

>     We have idmap uid and idmap gid with 10000 - 20000 default values
> (smb.conf in PDC). 

If you are not running winbind you do not need the idmap entries.

> We already have more than 20000 users in our base
> (actually, more than 20000 uidx; some of them were deleted). We use
> nss_ldap + nscd in our PDC (nsswitch). 

Be careful with nscd, there can be side-effects to using it.  It does work 

> We need to have UID/GID/SID constant in all servers (PDC + BDCs). 
> We used roaming profiles in the past, but we are not using them now. 

That is achieved via LDAP using nss_ldap - nothing to do with Samba in your 

> User's home directories are available using [homes] service (drive Y:).

Again, this is done through LDAP.  You have control over this via LDAP.  You 
can use the pdbedit tool to change home directory locations.

>     At this moment we will use the strategy of one LDAP master for the
> two servers. We are planning to have slave LDAPs, but not now.

That's fine.

>     Our conclusions until now:
>     Modify smb.conf, in PDC to use:
>     -idmap backend = ldaps://ourldap
>     -idmap uid = 2147483648 - 4294967295
>     -idmap gid = 2147483648 - 4294967295

As I said, only needed if running winbind. If you specify this make sure it is 
written in smb.conf like this:

	idmap uid =  2147483648-4294967295

Note: No space between the numbers and the '-'

>     Modify smb.conf, in BDC, accordingly to PDC's smb.conf and using
> the same lines above.

Again, not needed if you do not run winbind.

>     Sure, we will configure/adjusts BDC with nss_ldap and do the tests
> in that guides I already told.


>     What we are worried about follows:
>     -Winbindd must run in PDC?

Not essential.  I always do, but it is not essential.

>     -Our intented idmap (uid and gid) ranges are acceptable ( 32bits OS)?

Depends on what your Linux platform supports.

>     -Winbindd is "the man" that will use idmap values and mantain LDAP
> Idmap dn? -Just Winbindd running in BDCs will modify LDAP Idmap dn?

No, you both will depending on how you configure LDAP and Samba. Both CAN 
update LDAP if you wish - it does no harm.

>     -If we run winbindd (with LDAP) and "mess the hole thing", can we
> just start again without "destroying" our PDC UID/GID/SID. We have
> LDAP's base backup. We do not want to, but we can restore the base in
> the case of a "disaster".

In the worst case,  just delete the ou=idmap tree from your LDAP directory and 
start again. What is your concern?

>     -Home directories will be kept just in PDC. Is it enough to adjust
> the maps (logon path, logon drive etc) in BDC to use PDC reference? I
> mean, instead of \\%L\... we will use \\OURPDCNAME\...

Home directories can be stored on any server on which it is convenient to 
store them.  It does not HAVE to be the PDC.

>      I know that are a lot of questions, but we are trying to avoid
> problems an to understand as much as we can before setting up our
> first BDC.

I hope this helps.  Please, please do your learning and testing on a test 
network.  It is a bad idea to experiment on a live network.

Enjoy Samba!

John T.
John H Terpstra

"If at first you don't succeed, don't go sky-diving!"

More information about the samba mailing list