Samba4 winbind: use rfc2307 not working with winbind

Gémes Géza geza at kzsdabas.hu
Mon Aug 6 05:42:06 MDT 2012


2012-08-06 12:31 keltezéssel, steve írta:
> Hi
> Here is my smb.conf:
> [global]
>         workgroup = ALTEA
>         realm = hh3.site
>         netbios name = HH30
>         server role = active directory domain controller
>         passdb backend = samba4
>         idmap_ldb : use rfc2307 = Yes
>
> and /etc/nsswitch.conf
> passwd: files winbind
> group: files winbind
>
> In the directory, I have:
> Users
>  posixAccoint, uidNumber and gidNumber
> Groups
>  posixGroup, gidNumber
>
> I run winbindd then samba.
>
> testparm adds
>     idmap     idmap config * : backend = tdb
> to smb.conf
>
> I tried overwruling this with:
>   idmap     idmap config * : backend = ad
> and specifying a range
> and
>   idmap     idmap config * : backend =
>
> All uid:gid values come from idmap. If I delete an entry from idmap, 
> it is recreated when I run getent with a different gid/uid. Nothing is 
> brought from the directory.
>
> This works with nss-ldapd with ldap replacing winbind in 
> nsswitch.conf). Maybe I should not be running winbind with this setup?
>
> Does   idmap_ldb : use rfc2307 = Yes work with (or without) winbindd 
> running on the DC
>
> Thanks,
> Steve
Hi Steve,

You seem to have mixed samba4 and samba3 setups again, or you didn't 
mention in your e-mail which setting was on which installation.

I recommend to have:

1. Computer/Installation/Virtual Machine/Whatever: Samba4 AD Controller, 
only winbind related option: idmap_ldb : use rfc2307 = Yes
2. Computer/Installation/Virtual Machine/Whatever: Samba3 Member Server, 
winbind related options:
idmap backend = tdb
idmap uid = some uninteresting uid range (e.g. 1000001-2000000)
idmap gid = some uninteresting gid range (e.g. 1000001-2000000)

idmap config YOURWORKGROUPNAME : backend  = ad
idmap config YOURWORKGROUPNAME : range = The union of the uid/gid range 
you have set up in AD (e.g. 1000-1000000)

Samba3 winbind from computer 2 has no knowledge if Samba4 winbind is 
using uids/gids from AD or from idmap.ldb as it is configured by 
idmap_ldb : use rfc2307 = Yes or No

Regards

Geza Gemes


More information about the samba-technical mailing list