[Samba] winbind bug?

Rowland Penny rowlandpenny at googlemail.com
Mon Apr 7 13:27:20 MDT 2014 

On 07/04/14 19:55, Doug Tucker wrote:
>
>> This will not work anymore, if it really worked properly before. The 
>> schema extension you are referring to, has been a standard part of 
>> the AD schema since Windows server 2003R2.
> We do not have 2003R2, just 2003.

This is not a problem, just get your windows admin to install Windows 
Services for UNIX Version 3.5. I think, but I am not sure, that if you 
add a Samba 4 AD server to the domain, the relevant info will replicate 
into the windows 2003 AD, I am sure someone will put me right here if I 
am wrong. ;-)

>>
>> All your Unix users & groups need to be in AD, then you need to add 
>> uidNumber's & gidNumber's, they are NOT added automatically.
>
> Just some background.  For all of the unix usernames that matter, 
> there is a corresponding windows account. 

Great, you are half way there.

> Our process here is to create an ldap account for any new users, and 
> then taking that info do: net user username password /fullname: "name" 
> /add from a command line on the AD server to create the user for 
> windows.  Or if I use a script I have to batch make a bunch of 
> accounts in ldap, I write that off to a windows.txt file, winscp that 
> to the AD box, and then run c:\addusers /c windows.txt to batch create 
> the windows accounts.

You are duplicating the creation of users & groups, they could all just 
exist in AD

> But, we have never done that for the unix groups as there was never a 
> reason for it until this. 

Because you haven't been doing it correctly.

> So my next question is, if the windows guy has created some groups 
> that overlap with my unix groups, I assume we will have to reconcile 
> that by creating a whole new group for things he was using that group 
> name for? 

Well yes, unless you can combine the groups and have some users that are 
unix members of said group, some users that are windows users and some 
members that are both.

> And since I'm still blind to this whole AD thing, for unix users that 
> are in multiple groups, does the schema somehow allow me to add 
> multiple unix gid attributes for each user or rather more like unix 
> does each group have a place where I can add multiple uid's to it, or 
> how does that work??

No, a Unix user can only have one gidNumber, but this does not stop them 
a member of more than one group, see memberOf attribute in AD

> It's really hard to picture this stuff in my head having never seen it.

Once you do get your head round it, you will wonder why didn't we do it 
this way all along.

Rowland

>>
>> This is the best idea you have had yet, you also need to discuss this 
>> with your windows admin. He could actually help you get this to work 
>> by showing you how RSAT works.
>>
>> Rowland
> I had to look that term up :).  He doesn't use that.  We just rdp to 
> the domain controllers and just work in a terminal.
>

More information about the samba mailing list