[Samba] Idmap + LDAP + winbind: our first BDC - doubts about
idmap ranges and winbbindd + Idmap dn
John H Terpstra
jht at samba.org
Wed Feb 4 03:20:12 GMT 2009
On Tuesday 03 February 2009 19:53:35 casfre at gmail.com wrote:
> My doubt is about Idmap + LDAP + winbind, related do BDC + PDC. We
> are using Samba 3.0.33 (Slackware 12.0.0).
> Our layout is almost like this one
> but we have more BLDGn than this example.
OK. When I wrote that chapter I reduced the number of sites. I have installed
Samba 3.0.x in one company that had 11 sites - when you get a two site
installation working correctly the others are just copies of the second one.
> Actually, we are taking ideas from
> and from
> We are reading the docs again, but I would like to clarify some
> points, if possible, to understand "the picture".
I'll try to answer.
> We have never had a BDC before. Winbindd is not running in our
> PDC. We want a BDC to divide the authentication load with our PDC.
With Samba 3.0.x the use of winbind is not imperative. You can run without it.
> Initially, we will install just one BDC. We have been using Samba +
> LDAP (with SSL)+ smbldaptools since the begining so, our users (people
> and machines) are all in the LDAP base. In the future, if the results
> were good, we will install more BDCs, using the same logic.
That's OK. Take it slowly, add on BDC at a time, that way you will be better
able to see what is going on.
> We have idmap uid and idmap gid with 10000 - 20000 default values
> (smb.conf in PDC).
If you are not running winbind you do not need the idmap entries.
> We already have more than 20000 users in our base
> (actually, more than 20000 uidx; some of them were deleted). We use
> nss_ldap + nscd in our PDC (nsswitch).
Be careful with nscd, there can be side-effects to using it. It does work
> We need to have UID/GID/SID constant in all servers (PDC + BDCs).
> We used roaming profiles in the past, but we are not using them now.
That is achieved via LDAP using nss_ldap - nothing to do with Samba in your
> User's home directories are available using [homes] service (drive Y:).
Again, this is done through LDAP. You have control over this via LDAP. You
can use the pdbedit tool to change home directory locations.
> At this moment we will use the strategy of one LDAP master for the
> two servers. We are planning to have slave LDAPs, but not now.
> Our conclusions until now:
> Modify smb.conf, in PDC to use:
> -idmap backend = ldaps://ourldap
> -idmap uid = 2147483648 - 4294967295
> -idmap gid = 2147483648 - 4294967295
As I said, only needed if running winbind. If you specify this make sure it is
written in smb.conf like this:
idmap uid = 2147483648-4294967295
Note: No space between the numbers and the '-'
> Modify smb.conf, in BDC, accordingly to PDC's smb.conf and using
> the same lines above.
Again, not needed if you do not run winbind.
> Sure, we will configure/adjusts BDC with nss_ldap and do the tests
> in that guides I already told.
> What we are worried about follows:
> -Winbindd must run in PDC?
Not essential. I always do, but it is not essential.
> -Our intented idmap (uid and gid) ranges are acceptable ( 32bits OS)?
Depends on what your Linux platform supports.
> -Winbindd is "the man" that will use idmap values and mantain LDAP
> Idmap dn? -Just Winbindd running in BDCs will modify LDAP Idmap dn?
No, you both will depending on how you configure LDAP and Samba. Both CAN
update LDAP if you wish - it does no harm.
> -If we run winbindd (with LDAP) and "mess the hole thing", can we
> just start again without "destroying" our PDC UID/GID/SID. We have
> LDAP's base backup. We do not want to, but we can restore the base in
> the case of a "disaster".
In the worst case, just delete the ou=idmap tree from your LDAP directory and
start again. What is your concern?
> -Home directories will be kept just in PDC. Is it enough to adjust
> the maps (logon path, logon drive etc) in BDC to use PDC reference? I
> mean, instead of \\%L\... we will use \\OURPDCNAME\...
Home directories can be stored on any server on which it is convenient to
store them. It does not HAVE to be the PDC.
> I know that are a lot of questions, but we are trying to avoid
> problems an to understand as much as we can before setting up our
> first BDC.
I hope this helps. Please, please do your learning and testing on a test
network. It is a bad idea to experiment on a live network.
John H Terpstra
"If at first you don't succeed, don't go sky-diving!"
More information about the samba