On 02/24/2011 06:49 AM, Mark Dieterich wrote: > Associated question... > > When I perform the following looking up on a member server: > >> [root]# wbinfo -S S-1-5-21-2830206405-3223145701-231191277-7214 >> Could not convert sid S-1-5-21-2830206405-3223145701-231191277-7214 to >> uid > > When the result is not cached on the machine doing the lookup (which by > the way I can't keep it from caching results even when I toss the "-n" > flag on winbindd), I see traffic between the member server and PDC. > Good. The PDC has access to all the information in needs to resolve > this query, it's all contained within a user/group entry in LDAP. > However, I can see no evidence it is trying to resolve this. If idmap > is the portion responsible for this resolution, doesn't it make sense > that I should be running idmap_ldap on the PDC? > > I've been looking over the LDAP schema and it has the following: > > objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top > AUXILIARY > DESC 'Mapping from a SID to an ID' > MUST ( sambaSID ) > MAY ( uidNumber $ gidNumber ) ) > > which I do NOT have defined in our LDAP db. I'm planning to just toss > this in to see whether it helps, but still don't fully understand where > the idmap_ldap stuff should be defined... > > Sorry the pieces just aren't falling into place. Hopefully, I'm not the > only one struggling with this and the resulting discussions can someday > help others. > > Mark
As mentioned in my previous response, it is best to let smbd (via the idmap handler) automatically create these entries as they are needed. Using nss_ldap to share a common mapping across all domain member servers is a "good thing"(tm). - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
