[Samba] RFC2307, AD, and Samba 3.6

Gémes Géza geza at kzsdabas.hu
Sun Aug 12 07:26:31 MDT 2012 

Hi,
> Hi all,
>
> I'm still struggling with getting samba 3.6 to use the uids and gids from my Active Directory 2008 R2 setup. I can see the users, I just can't get their UIDs mapped onto my linux machine.
>
> I've configured AD to use it's "services for unix" feature, and through that, I got a "Unix Attributes" tab where I could enter fields like uid, home dir, shell, and primary GID.
>
> My few questions:
>
> 1. Am I supposed to configure Samba to use rfc2307, or sfu?
> 2. As you can see in my config, below, I've configured an idmap range for the AD domain. It seems to be ignored, and instead, my users get placed in the wildcard domain's idmap range.
> 3. I found some advice (don't remember where) to try to delete these files when I change this part of my config:
> 	/var/run/samba/gencache*
> 	/var/cache/samba/winbindd_cache.tdb
> 	/var/lib/samba/winbindd_idmap.tdb
>      Any thoughts about the need/value to delete these temp files is appreciated.
> 4. Finally, does anyone have suggestions of other things I can try?
>
> thanks very much.
>
> best,
> -Nick
According to man idmap_ad you should have a generic idmap backend line 
as well, like:

idmap backend = tdb
idmap uid range = some uninteresting range
idmap gid range = some uninteresting range

I've wrote uninteresting range, because you should specify a range you 
haven't placed you users via ADUC
> [global]   (from my smb.conf)
>     workgroup = CORP
>     server string = %h server (Samba, Ubuntu)
>
>     security = ADS
>     realm = CORP.xxx.COM
>     allow trusted domains = yes
>     winbind use default domain = yes
>     winbind nested groups = YES
>     winbind nested groups = YES
>     winbind enum groups = yes
>     winbind enum users = yes
>     winbind nss info = rfc2307
>     winbind refresh tickets = yes
>     idmap config CORP : backend = ad
>     idmap config CORP : schema_mode = rfc2307
>     #idmap config CORP : range = 1000 - 99999
>     idmap config * : default = yes
>     #idmap config * : backend = tdb
>     #idmap config * : range = 100000 - 199999
>     idmap config * : range = 900 - 1999
>
>     encrypt passwords = true
>
>     obey pam restrictions = yes
>     client use spnego = yes
>     client ntlmv2 auth = yes
>     encrypt passwords = true
>     restrict anonymous = 2
>
> When I perform an ldapsearch against my server, I see these attributes, among others:
>
> msSFU30Name: nick
> msSFU30NisDomain: corp
> uidNumber: 1001
> gidNumber: 1000
> unixHomeDirectory: /home/nick
> loginShell: /bin/bash
>
Regards

Geza

More information about the samba mailing list