[Samba] idmap LDAP branch never populates with Samba 3.4.1 - how do I debug ?

Patrick Rynhart prynhart at gmail.com
Sun Oct 11 03:43:32 MDT 2009

I've followed the instructions at


which concerns how to setup idmap correctly with Samba > 3.0.25.  I have
a trusted domain which has been successfully established.  However, no
SID entries populate beneath ou=idmap and any logon to the trusted
domain will result in:

netr_LogonSamLogon: user SANDBOX\Administrator has user sid
but group sid S-1-5-21-3349915894-2557539911-1720661062-513.
The conflicting domain portions are not supported for NETLOGON calls

since the idmap caching isn't working at present, and the group SID
falls back to the built-in domain.

I have a suspicion that the idmap_ldap plugin/module isn't being loaded
(no probing appears to occur for the 'ldap' module and log.winbind-idmap
is missing) but the module does exist on my system:

# file /usr/lib/samba/idmap/ldap.so
/usr/lib/samba/idmap/ldap.so: ELF 32-bit LSB shared object, Intel 80386,
version 1 (SYSV), not stripped

My configure script was initially simple but I've now tried to build
with all the bells and whistles:

./configure --cache-file=./config.cache --with-fhs --enable-shared
--enable-static --disable-pie --prefix=/usr --sysconfdir=/etc
--libdir=/usr/lib/samba --with-privatedir=/etc/samba
--with-piddir=/var/run/samba --localstatedir=/var
--with-rootsbindir=/sbin --with-pammodulesdir=/lib/security --with-pam
--with-syslog --with-utmp --with-readline --with-pam_smbpass
--with-libsmbclient --with-winbind
--with-automount --with-ldap --with-ads --with-dnsupdate
--without-libtdb --without-libnetapi --with-modulesdir=/usr/lib/samba
--datarootdir=/usr/share --datadir=/usr/share/samba
--with-swatdir=/usr/share/samba/swat --with-lockdir=/var/run/samba
--with-statedir=/var/lib/samba --with-cachedir=/var/cache/samba
--with-ctdb  --with-cifsmount --with-cifsupcall --with-acl-support
--with-quotas --build i486-linux-gnu

The global portion of smb.conf file is:

workgroup = SEAT
server string = %h server (Samba %v)
wins support = no
wins server =
name resolve order = wins host bcast lmhosts
syslog = 0
log level = 100 tdb:100 idmap:100
log file = /var/log/samba/%m.log
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
passdb backend = ldapsam:ldap://

# ldapsam Editposix

ldap ssl = no
ldap admin dn = cn=admin,dc=seat,dc=massey,dc=ac,dc=nz
ldap delete dn = yes
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap user suffix = ou=users
ldap suffix = dc=seat,dc=massey,dc=ac,dc=nz
preload modules = /usr/lib/samba/idmap/ldap.so
winbind enum users = yes
winbind enum groups = yes
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=idmap,dc=seat,dc=massey,dc=ac,dc=nz
idmap alloc config:ldap_user_dn = cn=admin,dc=seat,dc=massey,dc=ac,dc=nz
idmap alloc config:ldap_url = ldap://localhost
idmap alloc config:range = 50000-500000
idmap config BUILTIN:backend = ldap
idmap config BUILTIN:readonly = no
idmap config BUILTIN:default = yes
idmap config BUILTIN:ldap_base_dn = ou=idmap,dc=seat,dc=massey,dc=ac,dc=nz
idmap config BUILTIN:ldap_user_dn = cn=admin,dc=seat,dc=massey,dc=ac,dc=nz
idmap config BUILTIN:ldap_url = ldap://localhost
idmap config BUILTIN:range = 50000-500000
idmap config SANDBOX:backend = ldap
idmap config SANDBOX:range = 50000-59999
idmap config SANDBOX:ldap_url = ldap://
idmap config SANDBOX:ldap_base_dn = ou=idmap,dc=seat,dc=massey,dc=ac,dc=nz
idmap config SANDBOX:ldap_user_dn = cn=admin,dc=seat,dc=massey,dc=ac,dc=nz
idmap config SANDBOX:ldap_alloc_url = ldap://
idmap config SANDBOX:ldap_alloc_base_dn =
smb ports = 139
domain master = yes
domain logons = yes
deadtime = 60

Any help would be appreciated.

More information about the samba mailing list