[Samba] Samba (4.1.17) ldap backend create user failed

basti mailinglist at unix-solution.de
Wed Apr 6 14:23:14 UTC 2016 

Hello, I have upgrade my samba PDC from 3.xx (debian lenny) to 4.1 (debian jessie).
ldap and samba shares work all fine.

When I try to add a user I get the following

smbpasswd -a foobar
New SMB password:
Retype new SMB password:
ldapsam_create_user: Unable to allocate a new user id: bailing out!
Failed to add entry for user foobar.

I found this workaround
https://lists.samba.org/archive/samba/2009-October/151528.html

but testparam say that

WARNING: The "idmap backend" option is deprecated
Unknown parameter encountered: "idmap alloc backend"
Ignoring unknown parameter "idmap alloc backend"


smbd -V
Version 4.1.17-Debian

egrep -v "(^#|^$|^;)" /etc/samba/smb.conf
[global]
   workgroup = foo
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
os level = 255
preferred master = yes
domain master = yes
local master = yes

vfs object = recycle
recycle:repository = /home/samba/Papierkorb/%U
recycle:keeptree = yes
recycle:exclude = *.tmp *.temp *.swp
recycle:exclude_dir = /tmp /temp
recycle:touch = yes

server role = classic primary domain controller
encrypt passwords = true
passdb backend = ldapsam:ldapi:///
ldapsam:trusted=yes
ldapsam:editposix=yes
ldap admin dn = cn=admin,dc=foo
ldap group suffix = ou=Groups
ldap machine suffix = ou=Machines
ldap user suffix = ou=Users
ldap suffix = dc=foo
ldap ssl = off
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   domain logons = yes
   logon path =
   logon script = login.bat
admin users = root, Administrator, @Domain Admins, admin
   ;idmap uid = 10000-20000
   ;idmap gid = 10000-20000
   ;template shell = /bin/bash

   idmap alloc config:ldap_base_dn = ou=idmap,dc=foo
   idmap alloc config:ldap_user_dn = cn=admin,dc=foo
   idmap alloc config:ldap_url = ldapi:///
   usershare allow guests = yes

[homes]
   comment = Home Directories
   browseable = no
   read only = yes
   create mask = 0700
   directory mask = 0700
   valid users = %S

[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = yes
   read only = yes

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

I want to use a samba NT4 domain and no AD.
Thanks for any help.

Best Regards, Basti


p.s. smbldap-tools works also fine

More information about the samba mailing list