[Samba] What is the equivalent of net idmap secret in samba 4.2 ?

Mark Cooke M.P.COOKE at bham.ac.uk
Thu Feb 4 12:29:36 UTC 2016

Hi all,

Isn’t it always the way that you find what you need after posting a question:

   net idmap set secret ‘*’ password



From: Mark Cooke
Sent: 04 February 2016 11:43
To: 'samba at lists.samba.org'
Subject: What is the equivalent of net idmap secret in samba 4.2 ?

Hi Everyone,

The documented command in net(8) for setting the LDAP password appears to have gone away in the refactoring between samba 4.1 and 4.2:

# net idmap secret * password
Invalid command: net idmap secret

Does someone have a pointer to a method to set the ldap auth credentials with samba 4.2?


Domain member server 1 – originally setup using SL7.0, samba 4.1, hosting the ldap server, winbind, bound to AD, net idmap secret * worked fine:

# yum install samba-winbind samba-winbind-clients pam_krb5

# authconfig --enablekrb5 --krbkdc=dc.domain --krb5adminserver=dc.domain --krb5realm=REALM --enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=REALM --smbservers=dc.domain --smbworkgroup=WORKGROUP --winbindtemplatehomedir=/path /%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain --update

# net ads join –U account

Updated the winbind related settings in /etc/samba/smb.conf for ldap backend (see below), and set the idmap LDAP password using: net idmap secret '*' password.

The same process fails on the new server, which is a fully patched Scientific Linux 7.1.  Comparing samba package versions shows that SL7.0 shipped with samba 4.1 and SL7.1 is currently using samba 4.2.

I then went back to the existing domain member server, and as it is fully patched and running samba 4.2, ‘net idmap’ is failing in the same way as the new server.

I have also tried using ‘smbpassword –W’ but that says ldap admin dn isn’t defined.

As I haven’t been able to set the credentials, my log.winbindd-idmap is showing:

[2016/02/04 10:13:06.731517,  0] ../source3/winbindd/idmap_ldap.c:95(get_credentials)
  get_credentials: Unable to fetch auth credentials for cn=Manager,ou=idmap in *


   workgroup = WORKGROUP
   password server = dc.domain
   realm = REALM
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /path/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false

   idmap config * : backend             = ldap
   idmap config * : ldap_url            = ldaps://ldap-server/
   idmap config * : ldap_base_dn        = ou=idmap
   idmap config * : ldap_user_dn        = cn=Manager,ou=idmap

   winbind use default domain           = yes
   winbind enum users                   = yes
   winbind enum groups                  = yes
   winbind nested groups                = yes
   winbind offline logon                = yes
   winbind cache time                   = 600
   winbind expand groups                = 5

        server string = Samba Server Version %v
        max protocol = SMB2
        passdb backend = tdbsam
        load printers = yes
        cups options = raw

# rpm -qa | grep samba | sort

I could go back and install SL7.0, do the samba setup, set the credentials and then update, but that would still leave me with an issue if I needed to change the LDAP password at a future point.

Thanks for any help!



The contents of this email may be privileged and are confidential. It may not be disclosed by, or used, or copied in any way by anyone other than the addressee. If received in error, please notify the sender then delete it from your system. Should you communicate with the sender by email, you consent to The University of Birmingham monitoring and reading any such correspondence.

More information about the samba mailing list