[Samba] samba4 rfc2307 practice and confuse
d tbsky
tbskyd at gmail.com
Sat Apr 13 10:49:50 MDT 2013
hi:
I setup a small samba 4.0.5 AD DC server. my client is windows 7 and
linux. and I use windows 7 with remote managment tools to manage rfc2307
account seetings of samba4 DC. I hope my users can use the same account to
use windows and linux.
samba4 DC provsion command as below:
samba-tool domain provision --use-rfc2307 --function-level=2008_R2
--interactive
and smb.conf global section for samba4 DC below:
workgroup = DOM
realm = AD.DOM.COM.TW
netbios name = DC
server role = active directory domain controller
dns forwarder = 10.11.1.254
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
winbind nss info = rfc2307
under samba4 DC, with "getent passwd" command,the situation is below:
1. the uid and gid are correct. "getent group" works.
2. the shell and homedir is not correct. "winbind nss info = rfc2307" is
uselss, samba4 always use template for "shell" and "homedir". and even
worse, if I set "template homedir = /home/%U", the "%U" macro is ignored,
so everyone's homedir is just "/home/%U". however the default "/home/%D/%U"
is working if you didn't set any "template homdir". so not setting any
"template homedir" is the only way you can get under samba4 DC.
under other scientifc linux 6.4 workstation (comes with samba 3.6.9. I also
tried 3.6.13.):
the global section of smb.conf below:
workgroup = DOM
password server = DC.AD.DOM.COM.TW
realm = AD.DOM.COM.TW
security = ads
idmap config *:backend = tdb
idmap config *:range = 2001-3000
idmap config DOM:backend = ad
idmap config DOM:default = yes
idmap config DOM:range = 1000-2000
idmap config DOM:schema_mode = rfc2307
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
situation below:
1.uid,shell,home are correct from rfc2307. but gid is not.and "getent
group" never works.
2. the gid comes from domain account's "primary group". so to make my
linux client work, I need to set a special domain group, set the group's
rfc2307 guid number(I set it to number 1000). and change every user's
primary group from "domain users" to the special domain group, then I can
get the correct "getent passwd".
I search sambawiki and email-list, there is very little informatin about
rfc2307 (but many questions and confustion without reply in the email
list).so I post my experience here. and I wonder the strange behavior is
bug or feature. I wonder what is the original design idea to use rfc2307
under samba 4 domain?
thanks for advice.
Regards,
tbskyd
More information about the samba
mailing list