[Samba] Idmap_ad not working correctly under samba 3.5.2

Oliver Weinmann oliver.weinmann at vega.de
Thu May 6 01:43:55 MDT 2010

I have investigated further and compared the behaviour of samba 3.3 and
samba 3.5 on 2 identical SLES9 VM's. Samba 3.3 is working as expected
with our Win2k3 SFU Domain and idmap_ad module. Samba 3.5 is not. I
noticed that there are a few kerberos params that have changed in 3.5
but I just can't get 3.5 to work as expected:

sles9test3:~ # testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Unknown parameter encountered: "use kerberos keytab"
Ignoring unknown parameter "use kerberos keytab"
Loaded services file OK.
Press enter to see a dump of your service definitions

For example I can run getent passwd and getent group fine under 3.3 but
not under 3.5. Also I created a user in AD "tuser2" this user is visible
within 1 minute under 3.3 under 3.5 it's not even visible after a
reboot. Also group memberships of AD users are not updated under 3.5.2.

I'm not sure if this is a bug. I tried a lot of things in smb.conf but
it just doesn't work. At the moment I have to consider going back to

I googled a lot in the past days to find a correct smb.conf for 3.5 and
idmap_ad but it's really hard to find a well documented howto.

I would really appreciate if someone has a look on this.

Here is my smb.conf:

        netbios name = sles9test1
        realm = SOMEDOMAIN.NET
        workgroup = SOMEDOMAIN
        security = ADS
        encrypt passwords = yes
        password server = dc.somedomain.net
        os level = 20
        idmap backend = ad
        idmap config SOMEDOMAIN : backend = ad
        idmap config SOMEDOMAIN : schema_mode = sfu
        idmap config SOMEDOMAIN : range = 0-99999999
        winbind nss info = sfu
        winbind enum users = yes
        winbind enum groups = yes
        preferred master = no
        winbind nested groups = Yes
        winbind use default domain = Yes
        max log size = 50
        log level = 10
        log file = /var/log/samba/log.%m
        dns proxy = no
        wins server =
        allow trusted domains = no
        client use spnego = Yes
        use kerberos keytab = true
        winbind refresh tickets = yes
        idmap cache time = 1
        winbind cache time = 1

More information about the samba mailing list