Samba4 winbind: use rfc2307 not working with winbind

steve steve at steve-ss.com
Mon Aug 6 09:34:08 MDT 2012 

On 08/06/2012 01:42 PM, Gémes Géza wrote:
> 2012-08-06 12:31 keltezéssel, steve írta:
>> Hi
>> Here is my smb.conf:
>> [global]
>>         workgroup = ALTEA
>>         realm = hh3.site
>>         netbios name = HH30
>>         server role = active directory domain controller
>>         passdb backend = samba4
>>         idmap_ldb : use rfc2307 = Yes
>>
>> and /etc/nsswitch.conf
>> passwd: files winbind
>> group: files winbind
>>
>> In the directory, I have:
>> Users
>>  posixAccoint, uidNumber and gidNumber
>> Groups
>>  posixGroup, gidNumber
>>
>> I run winbindd then samba.
>>
>> testparm adds
>>     idmap     idmap config * : backend = tdb
>> to smb.conf
>>
>> I tried overwruling this with:
>>   idmap     idmap config * : backend = ad
>> and specifying a range
>> and
>>   idmap     idmap config * : backend =
>>
>> All uid:gid values come from idmap. If I delete an entry from idmap, 
>> it is recreated when I run getent with a different gid/uid. Nothing 
>> is brought from the directory.
>>
>> This works with nss-ldapd with ldap replacing winbind in 
>> nsswitch.conf). Maybe I should not be running winbind with this setup?
>>
>> Does   idmap_ldb : use rfc2307 = Yes work with (or without) winbindd 
>> running on the DC
>>
>> Thanks,
>> Steve
> Hi Steve,
>
> You seem to have mixed samba4 and samba3 setups again, or you didn't 
> mention in your e-mail which setting was on which installation.
>
> I recommend to have:
>
> 1. Computer/Installation/Virtual Machine/Whatever: Samba4 AD 
> Controller, only winbind related option: idmap_ldb : use rfc2307 = Yes 
> Am only talking about the Samba4 DC at the moment to keep it simple 
> for me.
Am only talking about the Samba4 DC at the moment to keep it simple for me.
OK. I've got _just_ this winbind related line in smb.conf on the Samba4 DC:
idmap_ldb : use rfc2307 = Yes

I run winbindd then samba
_Nothing_ comes AD. If there is no entry in idmap.ldb (i.e. I deleted 
it) then getent creates one with no regard to what I have set in AD.

That's the on the DC. I have a feeling that it would be a lot easier to 
go with nss-pam-ldapd and nslcd than this.

I noticed that source4/winbind/idmap.c has had some changes recently. 
There was a problem there last time when it only mapped uidNumber and 
ignored gidNumber (which was fixed) but now it's worse doesn't map either.

Cheers
Steve

I'd like to try and get winbind working on the DC before I join a S3 box.

More information about the samba-technical mailing list