These are the settings i use: [global] workgroup = TESTDOM encrypt passwords = true passdb backend = ldapsam:ldapi:/// domain logons = yes ldapsam:trusted=yes ldapsam:editposix=yes restrict anonymous = 0 log level = 10 log file = /var/log/samba ldap admin dn = cn=admin,dc=samba,dc=org ldap delete dn = yes ldap passwd sync = yes ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap user suffix = ou=users ldap suffix = dc=samba,dc=org ldap ssl = off logon path = template homedir = /home/%U template shell = /bin/bash idmap backend = ldap:ldapi:/// idmap uid = 1000000-1999999 idmap gid = 1000000-1999999 idmap alloc backend = ldap idmap alloc config : ldap_url = ldapi:/// idmap alloc config : ldap_base_dn = ou=idmap,dc=samba,dc=org idmap alloc config : ldap_user_dn = cn=admin,dc=samba,dc=org
Don't forget net idmap secret alloc "password" The docs should probably be updated. On Sun, 6 Sep 2009 21:16:59 +0200, "Zeller, Jan" <[email protected]> wrote: > Dear list, > > i had some problems with "net sam provision" using samba 3.4.0 > I followed the instructions described on > http://wiki.samba.org/index.php/Ldapsam_Editposix and those published by iX > 4-6/2008 (www.ix.de) > but the result of "net sam provision" was always : > > # bin/net sam provision > Checking for Domain Users group. > Adding the Domain Users group. > Unable to allocate a new gid to create Domain Users group! > Checking for Domain Admins group. > Adding the Domain Admins group. > Unable to allocate a new gid to create Domain Admins group! > Check for Administrator account. > Adding the Administrator user. > Can't create Administrator user, Domain Admins group not available! > > The "only configuration" which is working under 3.4.0 regarding "net sam > provision" seems to be : > > [global] > workgroup = MYDOM > netbios name = > passdb backend = ldapsam:ldap://yoda.home.lan > ldap admin dn = cn=ldapadm,o=it,dc=home,dc=lan > ldap suffix = o=it,dc=home,dc=lan > ldap ssl = no > idmap alloc backend = ldap > idmap uid = 10000-19999 > idmap gid = 10000-19999 > idmap config MYDOM : range = 20000-29999 > idmap config MYDOM : backend = ldap > idmap alloc config:ldap_url = ldap://yoda.home.lan > idmap alloc config:ldap_user_dn = cn=ldapadm,o=it,dc=home,dc=lan > idmap alloc config:ldap_base_dn = o=it,dc=home,dc=lan > ldapsam:editposix = yes > ldapsam:trusted = yes > > If I omit > idmap uid = > idmap gid = > I obtain the error message mentioned above. > > The only info I get about that problem is from : > Michael Adam (Samba Team, SerNet): ID Mapping Re-Revisited (sambaxp.org) > > "idmap domains" seem to be obsolete. testparm always complains about : > Unknown parameter encountered: "idmap domains" > Ignoring unknown parameter "idmap domains" > > Honestly I don't understand the difference between "idmap alloc backend = " > and "idmap backend = " > > idmap alloc backend (G) > The idmap alloc backend provides a plugin interface for Winbind to use when > allocating Unix uids/gids for Windows SIDs. > This option is to be used in conjunction with the idmap domains parameter > and refers to the name of the idmap module which will provide the id > allocation functionality. > > idmap backend (G) > The idmap backend provides a plugin interface for Winbind to use varying > backends to store SID/uid/gid mapping > tables. This option is mutually exclusive with the newer and more flexible > idmap domains parameter. The main > difference between the "idmap backend" and the "idmap domains" is that the > former only allows one backend for all > domains while the latter supports configuring backends on a per domain > basis. > > Quite confusing for people like me ... > > kind regards, > > Jan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
