[Samba] Winbind to use Windows ADS LDAP as IDMAP backend

David Roid dataroid at gmail.com
Thu Nov 17 04:04:04 MST 2011


Greetings list,

This sounds sort of twisted but in its essence Windows ADS has an LDAP
server too, so here is what I do hoping it'll work:

1. Install Utilities and SDK for UNIX-based application and Identity
Management for UNIX on Windows server 2003, create a new OU named "idmap".

2. Configure smb.conf as per Samba HOWTO chapter 14 "IDMAP storage in LDAP
using winbind"

        ldap admin dn = cn=administrator,cn=users,dc=mydom,dc=com
        ldap idmap suffix = ou=idmap
        ldap suffix = dc=mydom,dc=com
        idmap backend = ldap:"ldap://<my windows domain controller, also
LDAP server>"
        idmap uid = 10000-1000000
        idmap gid = 10000-1000000

3. Join the domain, fine; run ldapsearch, fine; wbinfo -u, fine; wbinfo -g,
fine.

4. Problem: wbinfo -i <domain user>, doesn't work, something wrong with
idmap allocator, see the log

==> /var/log/messages <==
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]: [2011/11/17
18:48:47.830454,  0] winbindd/idmap.c:201(smb_register_idmap_alloc)
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]:   idmap_alloc
module tdb already registered!
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]: [2011/11/17
18:48:47.830566,  0] winbindd/idmap.c:149(smb_register_idmap)
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]:   Idmap module
passdb already registered!
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]: [2011/11/17
18:48:47.830608,  0] winbindd/idmap.c:149(smb_register_idmap)
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]:   Idmap module
nss already registered!
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]: [2011/11/17
18:48:47.833394,  0] winbindd/idmap.c:599(idmap_alloc_init)
2011 Nov 17 18:48:47 winterfell_01 [err] winbindd[21121]:   ERROR:
Initialization failed for alloc backend, deferred!


So this looks like Samba/winbind can read but cannot write to Windows LDAP
backend, hence no domain users get any UID, is this so? Any possibility to
fix this?

p.s. I also tried openLDAP on Linux as IDMAP backend, it works very smooth
with Samba.

Cheers
-David


More information about the samba mailing list