[Samba] confusion and problem with Samba v3.3.8 as PDC with ldapsam backend

Alex Crow acrow at integrafin.co.uk
Tue Jan 18 14:39:39 MST 2011

On 18/01/11 21:08, Jon Detert wrote:
> On Tue, Jan 18, 2011 at 2:35 PM, Gaiseric Vandal
> <gaiseric.vandal at gmail.com>  wrote:
>> Nt- I don't use the "ldapsam:editposix" option myself, if I understand it correctly it means you don't have to precreate the underlying unix accounts.
> That is my understanding as well.  I've never used it before, however.

I've not tried it, I'm not even sure if it really works. Has anyone on 
the list used such a config in production?

>> However,  I believe you still need to do the following
>>     Create a samba Administrator account
>>     Create samba Domain Admins and Domain Users groups.
>>     Explicitly specify the uid or username for the "guest" user.
>>    Set ldap password for the idmap backend (net idmap secret thedomain  xxxx )
> the log messages tend to support this belief.

You can create them yourself, but if you want an easier life, see the 
end of this post (smbldap-tools)

>> "smbpasswd -w" sets the ldap password samba to access ldap for users and groups.
>> But idmap needs the ldap password set as well eg.

It doesn't. smbpasswd -w is sufficient.
> I don't understand that.  There is no separate idmap process, afaik.
> Why can't the 'idmap' functionality get the same ldap credentials that
> smbd and winbindd evidently get from the smb.conf and the secrets.tdb
> files?
>>         net idmap secret MYDOMAIN  xxxx
>>     net idmap secret alloc  xxxx

You do *not* need this is the you are not using explicit idmap alloc, 
just the default idmap range. idmap alloc is apparently not working.

> In any case, I tried the above, and got the same error for both command :
> "The only currently supported backend is LDAP"
> My smb.conf has a line expressly saying "idmap backend =
> ldap:ldap://localhost".   Does smbd have to be running before running
> the 'net idmap' commands?  If so, I'm screwed, cuz now that I fixed
> the 'out=IDmap' typo, smbd dies immediately after trying to start it.

You should leave the config as is.

smbd really should not die. Are you sure smbd is not still running? Did 
you join your own domain on the PDC (eg net rpc join -S localhost)?
> Ideas?
> Thanks,
> Jon

I think you need to use the smbldap-tools. Once configured correctly 
they will prepopulate your LDAP tree for for you. There should be 
packages in the repos for most distros.



This message is intended only for the addressee and may contain
confidential information.  Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.

"Transact" is operated by Integrated Financial Arrangements plc
Domain House, 5-7 Singer Street, London  EC2A 4BQ
Tel: (020) 7608 4900 Fax: (020) 7608 5300
(Registered office: as above; Registered in England and Wales under number: 3727592)
Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856)

More information about the samba mailing list