[Samba] SUSE Linix 11.2 LDAP to AD

David Disseldorp ddiss at suse.de
Thu Jul 11 11:22:32 MDT 2013

[Removing from the Samba developer ML, this belongs on the user list]

On Thu, 11 Jul 2013 14:59:24 +0000
"Pavetto, David" <david.pavetto at hp.com> wrote:

> I did use the Yast to set this up and yes we are using winbind, since I did use yast to set this up initially, so is there anything I need to do to remove idmap_tdb or will this just be completed within the samba.conf file, Just asking, want to understand going forward since we have a ton of servers to install and just want to script this out

The conversion from idmap_tdb to idmap_ad can be done by changing
smb.conf. Remove any existing idmap parameters, then add idmap_ad
parameters based on your current environment, e.g (from man page).
	idmap config * : backend = tdb
	idmap config * : range = 1000000-1999999
	idmap config DOMAIN : backend  = ad
	idmap config DOMAIN : range = 1000-999999

Changing the idmap backend on a running system is generally not a good
idea, as file ownership and ACLs may change for mapped users.

Idmap caches also need to be purged before restarting winbind. This
can be done by backing up /var/lib/samba/*, then deleting
winbindd_idmap.tdb and gencache.tdb. nscd should also be disabled.

One final caveat, Samba 3.6 idmap_ad uses the rfc2307 gidNumber
attribute assigned to groups for which a user is a member of. It ignores
the gidNumber attribute explicitly assigned user objects.

Cheers, David

More information about the samba mailing list