The problem with idmap_ldap backend is that it requires an additional ldap server to be running, possibly more than one for redundancy purposes, which makes administration and managing of services a bit complex. If there already is an ldap server in the network, using that ldap server would be fine. Below is step-by-step instructions on how to configure ldap server and samba for this purpose. Openldap is used as the ldap server in this setup.
How to setup the ldap server?
1 - Install openldap-servers package.
#yum install openldap-servers
2 - Below is my slapd.conf after removing comments.
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
database bdb
suffix "dc=samba,dc=example,dc=com"
rootdn "cn=admin,dc=samba,dc=example,dc=com"
rootpw password
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
3 - Below is details of how I created slapd.pem
# cd /etc/pki/tls/certs
# rm -f slapd.pem
# make slapd.pem
Give details on every prompt as appropriate.
#chown ldap.ldap slapd.pem
4 - Use the simple ldif file given below to initialize the ldap database.
dn: dc=samba,dc=example,dc=com
dc: samba
objectClass: top
objectClass: domain
dn: ou=idmap,dc=samba,dc=example,dc=com
ou: idmap
objectClass: top
objectClass: organizationalUnit
Initialize the database using the below command.
# slapadd -d 3 -l ldif-file
If you already have an ldap server running in your network, Just add an OU named idmap under the ldap name space heirarchy, add a user in the ldap databse and give that user write permission to the OU.
5 - Start ldap server. service ldap start.
How to setup the Samba server.
I only include my smb.conf and some basic details on setting this up.
[global]
workgroup =
netbios name =
realm = SAMBA.EXAMPLE.COM
server string = RHEL4 Idmap Ldap Backend
security = ads
password server =
log file = /var/log/samba/%m.log
max log size = 50
printcap name = /etc/printcap
ldap admin dn = cn=admin,dc=samba,dc=example,dc=com
ldap delete dn = yes
ldap idmap suffix = ou=idmap
ldap suffix = dc=samba,dc=example,dc=com
idmap backend = ldap:"ldaps://ip or hostname of ldap server"
idmap uid = 1500-100000
idmap gid = 1500-100000
winbind separator = +
winbind use default domain = yes
cups options = raw
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
Add the password for "ldap admin dn" to samba tdb databse.
# smbpasswd -w password
password is what we defined in the slapd.conf in the earlier step.
Now what happens is, suppose you have 1000 users named user1 to user1000 in AD, when user1 logs in to system1, samba would check whether a sid/uid mapping is already present in the ldap database. If it finds one, it would assign that uid to user1. If it does not find one, it would take the next free uid from the range defined, assign that to user1 and save the sid/uid mapping in the ldap database. Now, after sometime, if user1 tries to log in from machine B, samba in machine B would check whether an sid/uid mapping is there in the ldap database. It should find one and assign that uid to user1.
Below is an example of how sid/uid mapping is represented in ldap database.
dn: sambaSID=S-1-5-21-2913803998-3319354983-1616611311-1001,ou=Idmap,dc=samba,dc=samba,dc=com
objectClass: sambaIdmapEntry
objectClass: sambaSidEntry
uidNumber: 1504
sambaSID: S-1-5-21-2913803998-3319354983-1616611311-1001
The above entry implies that the AD user with SID S-1-5-21-2913803998-3319354983-1616611311-1001 should be assigned the uid 1504.
Restart winbind and verify that everything works as expected.
