[Samba] using ldap only idmap

Mariano Absatz el.baby at gmail.com
Sun Oct 18 04:22:01 MDT 2009

Can anyone help me on this? I'm really stuck...

On Thu, Oct 15, 2009 at 16:58, Mariano Absatz <el.baby at gmail.com> wrote:
> Hi,
> I'm trying to make a "pure ldap" setup, whereas users, groups, id mappings
> and everything that is supported with LDAP be in the LDAP tree and managed
> directly by samba.
> That is, I'm using:
> ldapsam:trusted = yes
> ldapsam:editposix = yes
> And NOT using smbldap-*.
> My smb.conf is here: http://wiki.clueless.com.ar/SambaLdap/smb.conf-PDC
> I created the LDAP tree root (o=midominio) and all its branches (ou=people;
> ou=groups; ou= hosts and ou=idmap).
> I ran "net sam provision" to fill in the basic values.
> I stored the secrets in secrets.tdb:
> # smbpasswd -w ldap_admin_password
> # net idmap secret midominio ldap_admin_password
> # net idmap secret alloc ldap_admin_password
> I was able to join a samba server to the domain (net rpc join -S miserver
> -UAdministrator).
> However, when I try to join an XP host to the domain, I get an error (IIRC
> it's "An attached device is not functionning") in the workstation and the
> samba logs show the following:
> [2009/10/15 11:17:47,  0] passdb/pdb_ldap.c:ldapsam_create_user(5119)
>  ldapsam_create_user: Unable to allocate a new user id: bailing out!
> The user I'm using to bind to the LDAP server is the LDAP administrator and
> it does have permissions on all the tree (in particular, within
> "ou=idmap,o=midominio")...
> I manually added an entry for the workstation's account posix data, then
> issued "smbpasswd -a workstation$"
> THEN I could join the domain...
> Clearly, I have something misconfigured regarding ldap/idmap/alloc, but I
> can't find enough information to do it right.
> Any help REALLY appreciated...

Mariano Absatz - El Baby

More information about the samba mailing list