Samba 3.4 Changes idmap backend!
By : Josh -
I recently upgraded some hosts to Fedora 11 which has Samba 3.4 included. I configure most of the hosts I control to be integrated with Active Directory for authentication and this upgrade broke that authentication.
The problem was that the winbind daemon was not able to query the LDAP server which was used as the idmap directory due to the way I had configured the idmap backend in smb.conf. This caused winbind and samba to restart successfully and I could enumerate groups and users perfectly well in bulk. I was not able, however, to enumerate a single user using ‘wbinfo -i ‘ or groups and I was not able to login.
This problem was caused by this config value:
idmap backend = "ldap:ldap://ldap1,ldap://ldap2"
After a bit of troubleshooting, I discovered that winbind was not able to query the LDAP server successfully. I fixed this issue by changing the above config value to:
idmap backend = ldap:ldap://ldap1 ldap://ldap2
I then restarted winbind and tested failover by enumerating a few users and then stopping the primary ldap server (ldap1) and enumerating a few more users.