[Samba] "net sam provision" and samba 3.4.0

Zeller, Jan jan.zeller at id.unibe.ch
Sun Sep 6 13:16:59 MDT 2009 

Dear list,

i had some problems with "net sam provision" using samba 3.4.0
I followed the instructions described on http://wiki.samba.org/index.php/Ldapsam_Editposix and those published by iX 4-6/2008 (www.ix.de)
but the result of "net sam provision" was always :

# bin/net sam provision
 Checking for Domain Users group.
 Adding the Domain Users group.
 Unable to allocate a new gid to create Domain Users group!
 Checking for Domain Admins group.
 Adding the Domain Admins group.
 Unable to allocate a new gid to create Domain Admins group!
 Check for Administrator account.
 Adding the Administrator user.
 Can't create Administrator user, Domain Admins group not available!

The "only configuration" which is working under 3.4.0 regarding "net sam provision" seems to be :

[global]
       workgroup = MYDOM
       netbios name =
       passdb backend = ldapsam:ldap://yoda.home.lan
       ldap admin dn = cn=ldapadm,o=it,dc=home,dc=lan
       ldap suffix = o=it,dc=home,dc=lan
       ldap ssl = no
       idmap alloc backend = ldap
       idmap uid = 10000-19999
       idmap gid = 10000-19999
       idmap config MYDOM : range = 20000-29999
       idmap config MYDOM : backend = ldap
       idmap alloc config:ldap_url = ldap://yoda.home.lan
       idmap alloc config:ldap_user_dn = cn=ldapadm,o=it,dc=home,dc=lan
       idmap alloc config:ldap_base_dn = o=it,dc=home,dc=lan
       ldapsam:editposix = yes
       ldapsam:trusted = yes

If I omit 
    idmap uid = 
    idmap gid = 
I obtain the error message mentioned above.

The only info I get about that problem is from :
Michael Adam (Samba Team, SerNet): ID Mapping Re-Revisited (sambaxp.org)

"idmap domains" seem to be obsolete. testparm always complains about :
Unknown parameter encountered: "idmap domains"
Ignoring unknown parameter "idmap domains"

Honestly I don't understand the difference between "idmap alloc backend = " and "idmap backend = "

idmap alloc backend (G) 
The idmap alloc backend provides a plugin interface for Winbind to use when allocating Unix uids/gids for Windows SIDs. 
This option is to be used in conjunction with the idmap domains parameter and refers to the name of the idmap module which will provide the id allocation functionality.

idmap backend (G)
The idmap backend provides a plugin interface for Winbind to use varying backends to store SID/uid/gid mapping
tables. This option is mutually exclusive with the newer and more flexible idmap domains parameter. The main
difference between the "idmap backend" and the "idmap domains" is that the former only allows one backend for all
domains while the latter supports configuring backends on a per domain basis.

Quite confusing for people like me ...

kind regards,

Jan

More information about the samba mailing list