[Samba] Classic confusion over new IDMAP params

Theodore Jencks tjencks at digitalfacet.com
Thu Jul 9 14:36:35 MDT 2009

Hello fellow Samba Users and Developers ...

Recently I have been struggling to clearly understand the current 
documentation for IDMAP.  There seems to be the old way of doing things 
and the new way of doing things...and the documentation is not very 
clear as to which way is appropriate for which release of Samba.  At 
least not clear to those of use who don't read source code ;-)

I am attempting to setup a memeber server, ie. join my samba system to 
and Active Directory domain.  I am using the latest Samba 3.4.0 and have 
read what documentation I could find.  Having browsed through the posts 
to this list as well I thought it was time to ask a few questions, and 
would really appreciate if someone could either point me to a post which 
has already discussed this topic or  answer my question directly.

Let me summarize my environment and what I'm trying to accomplish:

I work for a networking company  and we have a pretty good size AD 
infrastructure with around 8000 users and who knows how many groups.  I 
am attempting to setup a member server for my domain as mentioned and 
I'd like to keep ID mapping consistent on my system ( CentOS 5.3 64bit ) 
with the rest of the Company.  I'm not sure how my IT department 
maintains the mapping of SID to UID however I do know that they do have 
UID data setup in Active Directory.  I am not able to use the idmap_ad 
backend as the structure I saw in AD didn't look like we are using SFU.

This being the case I decided to use idmap_ldap as my idmap backend.  My 
idea is that I will create some initial mappings and then write a script 
to sync the IDs allocated by Samba with the IDs that are actually in 
AD.  Seems a little funky but the best thing I could think of.

Here is my current config:

#======================= Global Settings 

workgroup = JNPR
server string = FT-NM Team File Server
security = ads
load printers = no
log file = /var/log/samba/machines/%m.log
max log size = 50
encrypt passwords = yes
realm = jnpr.net
passdb backend = tdbsam
interfaces =
wins support = no
wins server =
dns proxy = no
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
socket options = TCP_NODELAY
syslog = 1

# Winbindd, idmap and ldap settings

winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 6000
winbind separator = :
allow trusted domains = no
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/zsh

ldap connection timeout = 2
ldap debug level = 0
ldap debug threshold = 10
ldap delete dn = no

idmap uid = 1000-200000
idmap gid = 1000-200000

idmap backend = ldap
idmap config JNPR: default = yes
idmap config JNPR: backend = ldap
idmap config JNPR: ldap_url = ldap://localhost
idmap config JNPR: ldap_user_dn = 
idmap config JNPR: ldap_base_dn = 

idmap alloc backend = ldap
idmap alloc config: ldap_url = ldap://localhost
idmap alloc config: ldap_anon = no
idmap alloc config: ldap_user_dn = 
idmap alloc config: ldap_base_dn = 
idmap alloc config: range = 100000-200000

I've been able to get Winbind working and wbinfo is reporting what its 
supposed to be.  However I don't think I've understood how to properly 
configure the new idmap subsystem.  I am seeing this in the 
winbindd-idmap log:

[2009/07/09 12:55:55,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
   idmap_alloc module tdb already registered!
[2009/07/09 12:55:55,  0] winbindd/idmap.c:149(smb_register_idmap)
   Idmap module passdb already registered!
[2009/07/09 12:55:55,  0] winbindd/idmap.c:149(smb_register_idmap)
   Idmap module nss already registered!
[2009/07/09 12:55:55,  1] winbindd/idmap_ldap.c:847(idmap_ldap_db_init)
   ERROR: missing idmap ldap url
[2009/07/09 12:55:55,  1] winbindd/idmap.c:321(idmap_init_domain)
   idmap initialization returned NT_STATUS_UNSUCCESSFUL

You may wonder why I don't just use the old style of config as I only 
have one domain.  I've decided to do this so that if I need to support a 
trusted domain I can without a substantial reconfiguration.

Any ideas and comments to help steer me down the right path are greatly 

Best Regards,

More information about the samba mailing list