[Samba] IDMAP Cache

Meike Stone meike.stone at googlemail.com
Mon Jun 25 08:34:03 UTC 2018 

Hello dear list,

can someone help me?

The manual page clearly states:
"The idmap backend provides a plugin interface for *Winbind* to use
varying backends to store SID/uid/gid mapping tables." and
"ID mapping in Samba is the mapping between Windows SIDs and Unix user
and group IDs. This is performed by *Winbindd* with a configurable
plugin interface."

So, that's the reason, why I said "No winbind is running." (on my server)

So that can explain, why samba 3 is asking the LDAP-Server often, but
why is using samba 4 the cache without winbind?

my configuration (testparm -v -s | grep idmap):
        ldap idmap suffix =
        idmap backend = tdb
        idmap cache time = 604800
        idmap negative cache time = 120
        idmap uid =
        idmap gid =
        idmap config * : backend = tdb

Thanks in advance
Meike

2018-06-22 13:40 GMT+02:00 Meike Stone <meike.stone at googlemail.com>:
> Hello dear list,
>
> I have running a Samba 3 server (under SLES11) connected to an
> LDAP-Server and it is running well.
> But now, I like to migrate to Samba 4 and I've made a few tests before.
>
> The whole time I with Samba 3, I was surprised about the many ldap requests so
> that I thought about an additional local OpenLDAP proxy cache.
>
> But now with Samba 4 (with the same configuration like Samba 3,
> SLES12) the IDMAP
> requests are cached in a local tdb (gencache.tdb).
>
> I can check the local cache "net cache list". While the list on Samba 3 is
> empty, with Samba 4 there are a lot of IDMAP entires.
>
> No winbind is running.
>
> My questions:
>     - Is this cache configurable (TTL, ...) - I've nothing found?
>     - Does the cache configuration and functional principle
>       differ between Samba 3 and 4?
>     - How to debug this?
>     - Why only the cache under Samba 4 is working?
>
>
> Thanks Meike
> ===============================================
> my configuration (same for Samba 3 and 4):
>
> [global]
>           workgroup = Samba
>           map to guest = Bad User
>           security = user
>           server string = Server1
>           max protocol = SMB2
>           deadtime = 600
>
>           load printers = no
>           printcap name = /dev/null
>           disable spoolss = yes
>
>           ldap admin dn = uid=sambauser,o=some,c=domain
>           passdb backend = ldapsam:"ldap://ldap01.some.domain"
>
>           ldap suffix = cn=samba,o=some,c=domain
>           ldap user suffix = cn=accounts
>           ldap group suffix = cn=groups
>           ldap passwd sync = No
>
>           log level = 255
>           syslog = 0
>
> [share1]
>         path = /daten/share1
>         comment = share1
>         writeable = yes
>         browseable = no
>         nt acl support = no
>         inherit permissions = yes
>         store dos attributes = yes
>         csc policy = disable

More information about the samba mailing list