rfc2307

Rowland Penny repenny241155 at gmail.com
Fri Feb 14 06:05:02 MST 2014


On 14/02/14 12:24, David Schmitt wrote:
> Hi,
>
> I've followed http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO on a 
> Debian testing machine and had good success in provisioning a domain.
>
> I've used --use-rfc2307 under the impression that this will allow me 
> to use samba's ldap server and/or winbind to authenticate my linux 
> clients. I've also had good success in using winbind to connect to the 
> dc, including being able to kinit successfully on the domain member.
>
> Sadly, I then noticed that the posix attributes were not populated and 
> clients (specifically dc and domain member) did not agree on the UIDs 
> of users.

You have to add the uidNumber's & gidNumber's yourself

>
> I've tried to configure posix attributes by using ldapmodify, which 
> worked only up to the point that the attributes were accepted by 
> samba's ldap server, but the changes were not reflected in the actual 
> responses in the system:
>
>> root at samba:/etc/samba# id testuser
>> uid=3000021(TEST\testuser) gid=100(users) groups=100(users)

This shows that you are using xidnumbers from idmap.ldb

>> root at samba:/etc/samba# ldapsearch -LLL -h localhost -p 389 -D 
>> "Administrator at LAN.DASZ.AT" -w ... -b 
>> "CN=testuser,CN=Users,DC=lan,DC=dasz,DC=at"
>> dn: CN=testuser,CN=Users,DC=lan,DC=dasz,DC=at
>> cn: testuser
>> instanceType: 4
>> whenCreated: 20131205082329.0Z
>> uSNCreated: 3784
>> name: testuser
>> objectGUID:: +4iQ6c5hXEacHox5tszkFg==
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> primaryGroupID: 513
>> objectSid:: AQUAAAAAAAUVAAAAlmuaiI1gpj3YWL63UAQAAA==
>> accountExpires: 9223372036854775807
>> logonCount: 0
>> sAMAccountName: testuser
>> sAMAccountType: 805306368
>> userPrincipalName: testuser at lan.dasz.at
>> objectCategory: 
>> CN=Person,CN=Schema,CN=Configuration,DC=lan,DC=dasz,DC=at
>> pwdLastSet: 130307054090000000
>> userAccountControl: 512
>> objectClass: top
>> objectClass: posixAccount
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> whenChanged: 20140214120810.0Z
>> uSNChanged: 3891
>> distinguishedName: CN=testuser,CN=Users,DC=lan,DC=dasz,DC=at
>>
>> root at samba:/etc/samba#
>

This user was created with samba-tool, you can use samba-tool to add the 
uidNumber & gidNumber when you create the user, try 'samba-tool user 
create --help'. The group you use must also have a gidNumber, you will 
have to add this with an .ldif file.

Rowland
>
> Somehow I think I got sidetracked somewhere, but don't know how to 
> recover.
>
> I'd be glad for any help or hint.
>
>
> Thanks, David



More information about the samba-technical mailing list