[Samba] Samba 3.4.8 idmap alloc broken - more details

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed May 26 16:35:49 MDT 2010

This is a revision of an earlier post with some futher results.

Some time back I upgraded a domain controller (Solaris 10) from samba
3.0.x  (bundled with Solaris ) to 3.4.5 (and then to 3.4.8) which I had 
compiled from source code.    I copied nsswitch and all the idmap modules.

In order to support interdomain trusts I am using winbind and idmap 
allocation with a samba backend.   Samba 3.0.x was not able to configure 
trusts with WIn 2003 or Win 2008 domains in Win 2003 mode.    It was 
able to configure trusts with Win 2003 domain in mixed (i.e. NT4 
compatibility) mode.    Samba does detect that the mixed-mode domain is 
still Active Directory and not actually NT4.

The second problem with Samba 3.0.x was that  it would initially 
populate ldap with idmap entries, cache them locally and then when the 
cache period expired it would not reload the mappings from ldap.   (in 
fact it them seemed to get negatively cached.)

upgrading to samba 3.4.x fixed the following -
    -  no more negative caching of idmap entries from ldap
   -  can establish domain trusts with Win 2003 mode domains.

However,  idmap does not allocate new entries.   This is not a problem 
for the mix mode domain since I have a samba 3.0.x server that can do 
this.)  For the other domains I can manually create an idmap entry 
(either with the ldap editor or the wbinfo command if I temp change the 
"ldap idmap suffix" parameter to the domain specific ou .) .   We don't 
add or remove accounts that frequently.    "wbinfo -u" can be a little 
slow to respond so I increasing the default "idmap cache time" and 
"winbind cache time" from the default 300 seconds seems appropriate.

Unlike the samba 3.0.x machine, I don't see any idmap specific or domain 
specific log files.

Partial smb.conf file


client NTLMv2 auth = yes
client lanman auth = No
client plaintext auth = No

security = user
passdb backend = ldapsam:ldap://ldap1.domain.com

wins support = No
wins server = x.x.x.x

winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = no
winbind trusted domains only = no

idmap cache time = 14400
winbind cache time = 604800

ldap suffix=o=domain.com
ldap user suffix=ou=people
ldap machine suffix=ou=people
ldap admin dn="cn=Directory Manager"
ldap ssl = no
ldap passwd sync = no
ldap idmap suffix=ou=idmap

idmap backend=ldap:ldap://ldap1.domain.com
idmap uid = 70000-79999
idmap gid = 70000-79999

idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://ldap1.domain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=domain.com
idmap alloc config:ldap_user_dn = cn=Directory Manager
idmap alloc config:range = 30000 - 79999

#following is a Win 2003 domain in mixed mode
idmap config DOMA:backend = ldap
idmap config DOMA:readonly = no
idmap config DOMA:default=no
idmap config DOMA:ldap_base_dn = ou=doma,ou=idmap,o=domain.com
idmap config DOMA:ldap_user_dn = cn=Directory Manager
idmap config DOMA:ldap_url = ldap://ldap1.domain.com
idmap config DOMA:range = 30000-35999

#following is a Win 2008 domain in Win 2003 mode
idmap config DOMB:backend = ldap
idmap config DOMB:readonly = no
idmap config DOMB:default=no
idmap config DOMB:ldap_base_dn = ou=domb,ou=idmap,o=domain.com
idmap config DOMB:ldap_user_dn = cn=Directory Manager
idmap config DOMB:ldap_url = ldap://ldap1.domain.com
idmap config DOMB:range = 40000-45999

#following is a Win 2003 domain in Win 2003 mode
idmap config DOMC:backend = ldap
idmap config DOMC:readonly = no
idmap config DOMC:default=no
idmap config DOMC:ldap_base_dn = ou=domc,ou=idmap,o=domain.com
idmap config DOMC:ldap_user_dn = cn=Directory Manager
idmap config DOMC:ldap_url = ldap://ldap1.domain.com
idmap config DOMC:range = 50000-55999


The man pages indicate that the domain specific id ranges must be within 
the alloc range.  the ou=alloc object in ldap does not include an 
mappings but does have uid and gid parameters to track the next 
available one.

With samba 3.0.x, running getent would populate idmap entries in the 
domain specific ou.    The domain specific id would be ignored.

Any thoughts on the allocation problem?


More information about the samba mailing list