[Samba] IDMAP question

[Mike Leone]

I have a Samba 3.4.0 server (from Ubuntu 9.04), as a member server in my 
Win2003 AD (which has MS Services for Unix 3.5 installed). All seems 
well, in that it is properly joined to my AD, I've got it all configured 
so that domain members can log into the Linux servers using their domain 
credentials.

Here's my config:

# WINBIND
#       idmap domains = DACRIB
         idmap config DACRIB: default = true
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         idmap config DACRIB:schema_mode = rfc2307

2 questions:

1. I had to comment out "idmap domains = DACRIB", as it said it was an 
unknown parameter. Isn't that the proper format to list the AD domain 
for idmapping?

2. If I understand it correctly, "idmap config DACRIB:RID=10000-20000" 
equivalent to what I have above? Would that give me any capabilities 
that my "default = true" does not give me? (I'd have to change "passdb 
backend = tdbsam" to .. what?)


smb.conf follows:

[global]
         workgroup = DACRIB
         realm = DACRIB.LOCAL
         server string = %h server (Samba %v, Domain: %D, Server: %L -%R)
         security = ADS
         map to guest = Bad User

         client use spnego = true
         client ntlmv2 auth = yes
# PAM AUTH
         encrypt passwords = Yes
         obey pam restrictions = Yes
         pam password change = true
         password server = dim-win2300.DaCrib.local
         passdb backend = tdbsam
         pam password change = Yes
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
         unix password sync = Yes

         log level = 1
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 1000

         preferred master = No
         domain master = No
         local master  = No
         os level = 2
;       browse list = Yes

         dns proxy = No
         usershare allow guests = Yes
         panic action = /usr/share/samba/panic-action %d

# WINBIND
#       idmap domains = DACRIB
         idmap config DACRIB: default = true
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         idmap config DACRIB:schema_mode = rfc2307

         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = No
         winbind nested groups = Yes
         winbind refresh tickets = true
         winbind nss info = rfc2307
         winbind separator = +

         template homedir = /home/%D/%u
         template shell = /bin/bash
         invalid users = root
         create mask = 0700
         directory mask = 0775
         writable = Yes
         enable privileges = Yes
         restrict anonymous = 2

         wide links = no

[printers]
         comment = All Printers
         path = /var/spool/samba
         printable = Yes
         browseable = No

[print$]
         comment = Printer Drivers
         path = /var/lib/samba/printers
[OldHome]
         comment = The Old Home Folder
         read only = No
         path = /OldHome