[Samba] "net sam provision" and samba 3.4.0
David Markey
dmarkey at dodds.dmarkey.com
Sun Sep 6 16:53:21 MDT 2009
These are the settings i use:
[global]
workgroup = TESTDOM
encrypt passwords = true
passdb backend = ldapsam:ldapi:///
domain logons = yes
ldapsam:trusted=yes
ldapsam:editposix=yes
restrict anonymous = 0
log level = 10
log file = /var/log/samba
ldap admin dn = cn=admin,dc=samba,dc=org
ldap delete dn = yes
ldap passwd sync = yes
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
ldap suffix = dc=samba,dc=org
ldap ssl = off
logon path =
template homedir = /home/%U
template shell = /bin/bash
idmap backend = ldap:ldapi:///
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldapi:///
idmap alloc config : ldap_base_dn = ou=idmap,dc=samba,dc=org
idmap alloc config : ldap_user_dn = cn=admin,dc=samba,dc=org
Don't forget net idmap secret alloc "password"
The docs should probably be updated.
On Sun, 6 Sep 2009 21:16:59 +0200, "Zeller, Jan" <jan.zeller at id.unibe.ch>
wrote:
> Dear list,
>
> i had some problems with "net sam provision" using samba 3.4.0
> I followed the instructions described on
> http://wiki.samba.org/index.php/Ldapsam_Editposix and those published by
iX
> 4-6/2008 (www.ix.de)
> but the result of "net sam provision" was always :
>
> # bin/net sam provision
> Checking for Domain Users group.
> Adding the Domain Users group.
> Unable to allocate a new gid to create Domain Users group!
> Checking for Domain Admins group.
> Adding the Domain Admins group.
> Unable to allocate a new gid to create Domain Admins group!
> Check for Administrator account.
> Adding the Administrator user.
> Can't create Administrator user, Domain Admins group not available!
>
> The "only configuration" which is working under 3.4.0 regarding "net sam
> provision" seems to be :
>
> [global]
> workgroup = MYDOM
> netbios name =
> passdb backend = ldapsam:ldap://yoda.home.lan
> ldap admin dn = cn=ldapadm,o=it,dc=home,dc=lan
> ldap suffix = o=it,dc=home,dc=lan
> ldap ssl = no
> idmap alloc backend = ldap
> idmap uid = 10000-19999
> idmap gid = 10000-19999
> idmap config MYDOM : range = 20000-29999
> idmap config MYDOM : backend = ldap
> idmap alloc config:ldap_url = ldap://yoda.home.lan
> idmap alloc config:ldap_user_dn = cn=ldapadm,o=it,dc=home,dc=lan
> idmap alloc config:ldap_base_dn = o=it,dc=home,dc=lan
> ldapsam:editposix = yes
> ldapsam:trusted = yes
>
> If I omit
> idmap uid =
> idmap gid =
> I obtain the error message mentioned above.
>
> The only info I get about that problem is from :
> Michael Adam (Samba Team, SerNet): ID Mapping Re-Revisited (sambaxp.org)
>
> "idmap domains" seem to be obsolete. testparm always complains about :
> Unknown parameter encountered: "idmap domains"
> Ignoring unknown parameter "idmap domains"
>
> Honestly I don't understand the difference between "idmap alloc backend =
"
> and "idmap backend = "
>
> idmap alloc backend (G)
> The idmap alloc backend provides a plugin interface for Winbind to use
when
> allocating Unix uids/gids for Windows SIDs.
> This option is to be used in conjunction with the idmap domains parameter
> and refers to the name of the idmap module which will provide the id
> allocation functionality.
>
> idmap backend (G)
> The idmap backend provides a plugin interface for Winbind to use varying
> backends to store SID/uid/gid mapping
> tables. This option is mutually exclusive with the newer and more
flexible
> idmap domains parameter. The main
> difference between the "idmap backend" and the "idmap domains" is that
the
> former only allows one backend for all
> domains while the latter supports configuring backends on a per domain
> basis.
>
> Quite confusing for people like me ...
>
> kind regards,
>
> Jan
More information about the samba
mailing list