[Samba] idmap confusion

[steve]

On 03/08/12 13:39, Gémes Géza wrote:
> 2012-08-03 13:07 keltezéssel, steve írta:
>> Three unfathormable questions:
>> 1.
>> What's the difference between:
>>
>> idmap_ldb : use rfc2307 = Yes
> It is a samba4 winbind setting, so you need it on the Samba4 AD
> controller only
>> and
>> idmap config * : backend = ad
> the correct form is:
> idmap config SOMEDOMAINNAME : backend =ad
>
> and instructs the winbind from the samba3 suite to look up the uids gids
> from AD for accounts in SOMEDOMAINNAME
>>
>> 2.
>> Do the terms in (1) above apply equally to Samba4 beta6 and Samba 3.6.3?
>>
>> 3.
>> If I specify either in (1) then
>> idmap config : range = abc-xyz
>> becomes meaningless.
> No. With idmap_ad you map all not specifically configured domains using:
> idmap backend = tdb
> idmap uid = some uninteresting range
> idmap gid = some uninteresting range
>
> then for each DOMAIN you want to get the idmap information from the AD,
> you specify:
> idmap config INTERESTINGDOMAIN1 : backend  = ad
> idmap config INTERESTINGDOMAIN1 : range = first range
>
> idmap config INTERESTINGDOMAIN2 : backend  = ad
> idmap config INTERESTINGDOMAIN2 : range = second range
>
> and so on.
>>
>> Cheers,
>> Steve
> Regards
>
> Geza

Hi Geza
On the Samba4 DC:
Despite having:
idmap config INTERESTINGDOMAIN1 : backend  = ad
idmap config INTERESTINGDOMAIN1 : range = first range

and with /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind

getent passwd/group return _all_ objects with or without posixAccount 
uidNumber or posixGroup gidNumber.

I expected that with those settings, getent passwd would return only 
e.g. users with a uidNumber.

Maybe I have a tdb to clear somewhere?
Cheers,
Steve