[Samba] idmap confusion

Gémes Géza geza at kzsdabas.hu
Fri Aug 3 13:54:48 MDT 2012


2012-08-03 18:46 keltezéssel, steve írta:
> On 03/08/12 13:39, Gémes Géza wrote:
>> 2012-08-03 13:07 keltezéssel, steve írta:
>>> Three unfathormable questions:
>>> 1.
>>> What's the difference between:
>>>
>>> idmap_ldb : use rfc2307 = Yes
>> It is a samba4 winbind setting, so you need it on the Samba4 AD
>> controller only
>>> and
>>> idmap config * : backend = ad
>> the correct form is:
>> idmap config SOMEDOMAINNAME : backend =ad
>>
>> and instructs the winbind from the samba3 suite to look up the uids gids
>> from AD for accounts in SOMEDOMAINNAME
>>>
>>> 2.
>>> Do the terms in (1) above apply equally to Samba4 beta6 and Samba 
>>> 3.6.3?
>>>
>>> 3.
>>> If I specify either in (1) then
>>> idmap config : range = abc-xyz
>>> becomes meaningless.
>> No. With idmap_ad you map all not specifically configured domains using:
>> idmap backend = tdb
>> idmap uid = some uninteresting range
>> idmap gid = some uninteresting range
>>
>> then for each DOMAIN you want to get the idmap information from the AD,
>> you specify:
>> idmap config INTERESTINGDOMAIN1 : backend  = ad
>> idmap config INTERESTINGDOMAIN1 : range = first range
>>
>> idmap config INTERESTINGDOMAIN2 : backend  = ad
>> idmap config INTERESTINGDOMAIN2 : range = second range
>>
>> and so on.
>>>
>>> Cheers,
>>> Steve
>> Regards
>>
>> Geza
>
> Hi Geza
> On the Samba4 DC:
> Despite having:
> idmap config INTERESTINGDOMAIN1 : backend  = ad
> idmap config INTERESTINGDOMAIN1 : range = first range
>
No! You have misunderstood how things work currently.
On Samba4 those settings have NO meaning.
The only smb.conf setting which is meaningful for the samba4 winbind is 
that with rfc2307
All the idmap_ad options have to be written in the samba3 clients smb.conf
> and with /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
>
> getent passwd/group return _all_ objects with or without posixAccount 
> uidNumber or posixGroup gidNumber.
>
> I expected that with those settings, getent passwd would return only 
> e.g. users with a uidNumber.
>
> Maybe I have a tdb to clear somewhere?
> Cheers,
> Steve
>
Regads

Geza


More information about the samba mailing list