[Samba] Some Clarification?

Stuart Sheldon stu at actusa.net
Sat Apr 13 10:06:09 MDT 2013

Hash: SHA256

Thanks for the response Andrew,

Using ad for my idmap sounds like what I'm looking for. I'm having
problems finding how I add the map ids to the AD manually for new users.
Could you direct me to some information regarding cli tools to do that?

Thanks Again,


On 04/12/2013 11:57 PM, Andrew Bartlett wrote:
> On Fri, 2013-04-12 at 08:40 -0700, Stuart Sheldon wrote:
>> Hi All,
>> I've been playing with Samba 4.0.x in the lab for about a week or so,
>> and have figured out a reasonable portion of the required settings to
>> also use the AD server as a Unix server. I do have some additional
>> questions regarding scaling that I have not found the answers to. I'm
>> hoping you good folks can steer me in the right direction, or confirm my
>> ideas of how this whole AD Controller thing works...
>> I'm using winbind for Unix authentication via PAM, and have configured
>> NSS to use winbind for passwd and group enumeration. Took me quite a
>> while to figure out that users would need to auth into kerberos before
>> winbind would return info to NSS. Someone might want to update the wiki
>> on that... 
> That doens't sound right.  The user information can be obtained, but it
> certainly is faster and more effective when we have the PAC cached. 
>> I do have some questions though regarding winbind and idmaps
>> in 4.0.5:
>> We currently deploy OpenLDAP as our core user management platform. This
>> has allowed us to avoid the need for winbind and the whole 3.x issue of
>> idmaps varying between our Linux systems. I've been trying to figure out
>> if the whole idmap sync issue is solved in 4.0.x? Can I just use the
>> default smb.conf generated settings for winbind and idmap and still have
>> consistent mappings between different hosts? If not, how can I
>> accomplish this in 4.0.x?
> If you have an existing OpenLDAP system, and are using Samba 3.x, do you
> have an existing Samba 3.x 'classic' domain?
> If so, then the samba-tool domain classicupgrde command will import
> those existing id mappings into our AD database, and set the smb.conf
> option to use it. 
> You can then configure Samba winbind clients to also use that rfc2307
> configuration, using idmap_ad.  
> You will need to set any uid/gid values you wish to be consistent across
> your domain manually, as we do not have a distributed allocator for
> those.  Any values not set in the directory will be set in idmap.ldb on
> each DC, and may differ between DCs (and potentially clients). 
> I hope this clarifies things for you, or gives you somewhere to sart
> your research. 
> Andrew Bartlett
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the samba mailing list