[Samba] samba4 DC, internal winbind_server: external idmap problem

steve steve at steve-ss.com
Sat Dec 7 11:05:51 MST 2013

On Sat, 2013-12-07 at 17:57 +0400, Andy Igoshin wrote:
> Hi!
> i run samba 4.1.2 in DC mode. win7 client joined to this domain
> successfully.
> now i try to configure external idmap.
> i would like it to use our existing ldap server:
> idmap config DOM : backend = rfc2307
> idmap config DOM : range = 1110000-1119999
> idmap config DOM : ldap_server = stand-alone
> idmap config DOM : ldap_url = ldap://ldap.domain.ru
> idmap config DOM : ldap_user_dn = uid=ldapmaster,cn=ldap.domain.ru
> idmap config DOM : bind_path_user = cn=dom.domain.ru
> idmap config DOM : bind_path_group = cn=dom.domain.ru
> idmap config DOM : cache time = 1800
> winbind nss info = rfc2307
Phew. I don't think that's gonna go. I'm assuming from this
configuration, you already have (perhaps a NT) domain but none of the
information in the same exists in your new AD provision. Did you
provision the domain from scratch? If not. . .

Maybe the best way to proceed is to to use
 samba-tool domain classicupgrade
 on your existing ldap database. There's a howto here:

We see many here run into trouble trying to maintain an external second
idmap database in addition to AD. I strongly recommend storing your
existing rfc2307 attributes in the same database i.e. in AD, along with
all the other pertinent machine and user information. The classicupgrade
will get these across for you. 

> i created a user 'test2' in samba DC.
> in ldap.domain.ru there is the user uid=test2,cn=dom.domain.ru with
> such attributes: 
> uidNumber = 1113535
> gidNumber = 1113535
> objectSid = S-1-5-21-1982177496-2241683161-2840224108-1106 (i got it
> from samba DC)
> when i run wbinfo to get user's info i expect it to go to
> ldap.domain.ru. but it does not happen. it looks like wbinfo
> returns values from internal automatic idmap.
> # wbinfo -S S-1-5-21-1982177496-2241683161-2840224108-1106
> 3000019
> # wbinfo -U 1113535
> S-1-22-1-1113535
> do i misunderstand something?
> is it possible to use idmap in such mode?

OK, but remember that wbinfo isn't going to give a realistic view of
what the file system expects. E.g. does
 getent passwd test2
return anything realistic? What do you have for the passwd stanza
in /etc/nsswich.conf?
We can get you there, but we don't have enough information on what you
have at the moment, especially where and what is stored in your ldap

More information about the samba mailing list