Samba4 wbinfo -i output

Gémes Géza geza at kzsdabas.hu
Sun May 6 23:57:39 MDT 2012 

On 2012-05-06 22:24, steve wrote:
> On 05/06/2012 07:58 PM, Gémes Géza wrote:
>> On 2012-05-06 18:08, steve wrote:
>>> On 05/06/2012 03:58 PM, Gémes Géza wrote:
>>>> On 2012-05-06 11:43, steve wrote:
>>>>> On 06/05/12 10:10, Gémes Géza wrote:
>>>>>> On 2012-05-06 09:43, steve wrote:
>>>>>>> On 05/06/2012 09:22 AM, Andrew Bartlett wrote:
>>>>>>>> On Sun, 2012-05-06 at 09:06 +0200, steve wrote:
>>>>>>>>
>>>>> Hi
>>>>> Or just store the attributes you need in the directory and forget
>>>>> winbind no?
>>>>> Cheers,
>>>>> Steve
>>>> Without winbind you lose the ability to have nested groups.
>>>>
>>>> Regards
>>>>
>>>> Geza
>>> Hi
>>> Does that mean not being able to have a group as a member of another
>>> group? If so, what disadvantages does that have? The schema allows me
>>> the same with or without winbind doesn't it? Maybe getent would have
>>> problems?
>>> Cheers,
>>> Steve
>>>
>> I haven't tried it but in theory libnss-ldap and (also untested)
>> libnss-ldapd doesn't support recursive lookup for group members. So
>> getent group would list only users and first level groups.
>>
>> Regards
>>
>> Geza
> Hi Geza
> No. nss-ldapd does a superb job of AD group mappings as recursively
> deep as you want. And very fast. The ldapd dev helped us with the AD
> mappings. In fact as of the latest version, we need only 2:
>
> cat /etc/nslcd.conf
>
> uid nslcd
> gid nslcd
> uri ldap://sam4dc.polop.site
> base dc=polop,dc=site
> map    passwd    uid    samAccountName
> map    passwd    homeDirectory    unixHomeDirectory
> #map    group    uniqueMember    member
> sasl_mech GSSAPI
> sasl_realm POLOP.SITE
> krb5_ccname /tmp/nslcd.tkt
>
> Previous versions needed the commented out mapping too. As of version
> 0.8, it does into the DN to extract the members as well as members by
> primaryGroupID.
> e.g.
> getent passwd steve2
> steve2:*:3000011:20513:steve2:/home2/CACTUS/staff/steve2:/bin/bash
>
> getent group staff
> staff:*:21108:lynn2,steve2
>
> dn: CN=steve2,CN=Users,DC=polop,DC=site
> cn: steve2
> instanceType: 4
> whenCreated: 20120505174235.0Z
> uSNCreated: 3735
> name: steve2
> objectGUID: 70cea1cc-2d1a-4301-b80d-695244824f8d
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> objectSid: S-1-5-21-216190789-1528428426-2244757706-1107
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: steve2
> sAMAccountType: 805306368
> userPrincipalName: steve2 at polop.site
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=polop,DC=site
> pwdLastSet: 129807133550000000
> userAccountControl: 512
> uidNumber: 3000011
> loginShell: /bin/bash
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> profilePath: \\sam4dc\profiles\steve2
> homeDrive: Z:
> unixHomeDirectory: /home2/CACTUS/staff/steve2
> homeDirectory: \\sam4dc\staff\steve2
> primaryGroupID: 513
> gidNumber: 20513
> whenChanged: 20120506190835.0Z
> uSNChanged: 3824
> memberOf: CN=staff,CN=Users,DC=polop,DC=site
> distinguishedName: CN=steve2,CN=Users,DC=polop,DC=site
>
> dn: CN=staff,CN=Users,DC=polop,DC=site
> cn: staff
> instanceType: 4
> whenCreated: 20120505174317.0Z
> uSNCreated: 3741
> name: staff
> objectGUID: a94ceff6-3078-4ef0-a763-67cb79c7eb25
> objectSid: S-1-5-21-216190789-1528428426-2244757706-1108
> sAMAccountName: staff
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=polop,DC=site
> objectClass: top
> objectClass: posixGroup
> objectClass: group
> gidNumber: 21108
> member: CN=steve2,CN=Users,DC=polop,DC=site
> member: CN=lynn2,CN=Users,DC=polop,DC=site
> whenChanged: 20120506192028.0Z
> uSNChanged: 3828
> distinguishedName: CN=staff,CN=Users,DC=polop,DC=site
>
> dn: CN=Domain Users,CN=Users,DC=polop,DC=site
> cn: Domain Users
> description: All domain users
> instanceType: 4
> whenCreated: 20120505165503.0Z
> uSNCreated: 3540
> name: Domain Users
> objectGUID: 5fec110b-1b55-4ff8-812f-f4e9d033b9ec
> objectSid: S-1-5-21-216190789-1528428426-2244757706-513
> sAMAccountName: Domain Users
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=polop,DC=site
> isCriticalSystemObject: TRUE
> memberOf: CN=Users,CN=Builtin,DC=polop,DC=site
> gidNumber: 20513
> objectClass: top
> objectClass: posixGroup
> objectClass: group
> whenChanged: 20120506190833.0Z
> uSNChanged: 3821
> distinguishedName: CN=Domain Users,CN=Users,DC=polop,DC=site
>
> Note: the primaryGroupID determines the default group. There is
> currently a bug in the schema which does not remove the memberOf
> attribute when changing primaryGroupID. This is the subject of another
> thread here. The workaround is to run samba-tool dbcheck --fix after
> changing group ids.
>
> We add 20000 to the rid of the primaryGroup to make it more readable
> and to stop it colliding with our local groups. All based upon an idea
> by Geza back in December:-) We call it s4bind. Details here:
> http://linuxcostablanca.blogspot.com.es/p/s4bind.html
>
> Cheers,
> Steve
>
Hi Steve,

That is really good news for me, because this summer I plan to migrate
our Samba3+OpenLDAP+Heimdal KDC on the server and pam-krb5/nss-ldapd on
the *nix clients to Samba4, so it will be less hassle to migrate the
clients.

Cheers,

Geza

More information about the samba-technical mailing list