> > That looks like a very useful information. I am using 3.2.8 as well. > Will you please elaborate a bit on upgrading schema ? >
First question: are your Domain Controllers using Samba? If not, the rest of this probably won't work (never used an AD domain myself). On gentoo emerging the latest samba provided me with the latest schema too. Interestingly on Debian the one I got wasn't correct when I upgraded, so I copied the one over from the gentoo boxes (although someone at work said I should have looked in /usr/share/doc/samba/something). The only file needed is samba.schema. I guess to be sure you could just download the appropriate samba release and pull it from there to put in the schema dir. > Following is what my idmap config. > > > idmap domains = default, DOMAIN1, DOMAIN2, DOMAIN3 > idmap uid = 1000 - 299999 > idmap gid = 1000 - 299999 > idmap config DOMAIN1:range = 100000 - 199999 > idmap config DOMAIN1:backend = rid > idmap config DOMAIN3:range = 1000 - 99999 > idmap config DOMAIN3:backend = rid > idmap config DOMAIN2:range = 200000 - 299999 > idmap config DOMAIN2:backend = rid > idmap config default:default = Yes > > I see you're doing it the "new way" (and using RID not LDAP for IDMAP mappings). I'm still using the old syntax with LDAP thusly: idmap backend = ldap:ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind nested groups = yes winbind trusted domains only = yes winbind use default domain = no winbind enum users = yes winbind enum groups = yes allow trusted domains = yes That's on the PDC, all other servers should be pointed to the PDC's (or whatever master LDAP server you have) real ip address for IDMAP. Should be no prob. to update this to the new syntax. Did you also populate your LDAP directory with the bare IDMAP ou? You can find the required LDIF in the "By Example" docs on samba.org. I find that with this setting all of my trusted domains work fine. I noticed it you do "winbind use default domain = yes" then you get all the local domain stuff in the IDMAP ou, which seems as if it could cause problems (although it never seems to when I've set that by accident). If you use the new syntax then you will probably avoid this issue. Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. "Transact" is operated by Integrated Financial Arrangements plc Domain House, 5-7 Singer Street, London EC2A 4BQ Tel: (020) 7608 4900 Fax: (020) 7608 1200 (Registered office: as above; Registered in England and Wales under number: 3727592) Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
