[Samba] Restart Winbind

Alex Crow acrow at integrafin.co.uk
Fri Sep 18 07:13:49 MDT 2009

> That looks like a very useful information. I am using 3.2.8 as well.
> Will you please elaborate a bit on upgrading schema ? 

First question: are your Domain Controllers using Samba? If not, the
rest of this probably won't work (never used an AD domain myself).

On gentoo emerging the latest samba provided me with the latest schema
too. Interestingly on Debian the one I got wasn't correct when I
upgraded, so I copied the one over from the gentoo boxes (although
someone at work said I should have looked
in /usr/share/doc/samba/something). The only file needed is
samba.schema. I guess to be sure you could just download the appropriate
samba release and pull it from there to put in the schema dir.

> Following is what my idmap config.
> idmap domains = default, DOMAIN1, DOMAIN2, DOMAIN3
>         idmap uid = 1000 - 299999
>         idmap gid = 1000 - 299999
>         idmap config DOMAIN1:range = 100000 - 199999
>         idmap config DOMAIN1:backend = rid
>         idmap config DOMAIN3:range = 1000 - 99999
>         idmap config DOMAIN3:backend = rid
>         idmap config DOMAIN2:range = 200000 - 299999
>         idmap config DOMAIN2:backend = rid
>         idmap config default:default = Yes

I see you're doing it the "new way" (and using RID not LDAP for IDMAP
mappings). I'm still using the old syntax with LDAP thusly:

idmap backend = ldap:ldap://
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind nested groups = yes
winbind trusted domains only = yes
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = yes

That's on the PDC, all other servers should be pointed to the PDC's (or
whatever master LDAP server you have) real ip address for IDMAP. Should
be no prob. to update this to the new syntax.

Did you also populate your LDAP directory with the bare IDMAP ou? You
can find the required LDIF in the "By Example" docs on samba.org.

I find that with this setting all of my trusted domains work fine. I
noticed it you do "winbind use default domain = yes" then you get all
the local domain stuff in the IDMAP ou, which seems as if it could cause
problems (although it never seems to when I've set that by accident). If
you use the new syntax then you will probably avoid this issue.


This message is intended only for the addressee and may contain 
confidential information.  Unless you are that person, you may not 
disclose its contents or use it in any way and are requested to delete 
the message along with any attachments and notify us immediately. 

"Transact" is operated by Integrated Financial Arrangements plc 
Domain House, 5-7 Singer Street, London  EC2A 4BQ 
Tel: (020) 7608 4900 Fax: (020) 7608 1200
(Registered office: as above; Registered in England and Wales under
number: 3727592) 
Authorised and regulated by the Financial Services Authority (entered on
the FSA Register; number: 190856)

More information about the samba mailing list