rfc2307

Fri Feb 14 08:33:47 MST 2014

Dear Rowland,

Just to check. 
Can winbind just use the Sid (maybe the truncated Sid) from windows as the uid and Gid?

Isn't that a much simpler approach?

Did we have a config for that?

Thank you. 

> Rowland Penny <repenny241155 at gmail.com> 於 14/02/2014 9:05 PTG 寫道：
> 
>> On 14/02/14 12:24, David Schmitt wrote:
>> Hi,
>> 
>> I've followed http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO on a Debian testing machine and had good success in provisioning a domain.
>> 
>> I've used --use-rfc2307 under the impression that this will allow me to use samba's ldap server and/or winbind to authenticate my linux clients. I've also had good success in using winbind to connect to the dc, including being able to kinit successfully on the domain member.
>> 
>> Sadly, I then noticed that the posix attributes were not populated and clients (specifically dc and domain member) did not agree on the UIDs of users.
> 
> You have to add the uidNumber's & gidNumber's yourself
> 
>> 
>> I've tried to configure posix attributes by using ldapmodify, which worked only up to the point that the attributes were accepted by samba's ldap server, but the changes were not reflected in the actual responses in the system:
>> 
>>> root at samba:/etc/samba# id testuser
>>> uid=3000021(TEST\testuser) gid=100(users) groups=100(users)
> 
> This shows that you are using xidnumbers from idmap.ldb
> 
>>> root at samba:/etc/samba# ldapsearch -LLL -h localhost -p 389 -D "Administrator at LAN.DASZ.AT" -w ... -b "CN=testuser,CN=Users,DC=lan,DC=dasz,DC=at"
>>> dn: CN=testuser,CN=Users,DC=lan,DC=dasz,DC=at
>>> cn: testuser
>>> instanceType: 4
>>> whenCreated: 20131205082329.0Z
>>> uSNCreated: 3784
>>> name: testuser
>>> objectGUID:: +4iQ6c5hXEacHox5tszkFg==
>>> badPwdCount: 0
>>> codePage: 0
>>> countryCode: 0
>>> badPasswordTime: 0
>>> lastLogoff: 0
>>> lastLogon: 0
>>> primaryGroupID: 513
>>> objectSid:: AQUAAAAAAAUVAAAAlmuaiI1gpj3YWL63UAQAAA==
>>> accountExpires: 9223372036854775807
>>> logonCount: 0
>>> sAMAccountName: testuser
>>> sAMAccountType: 805306368
>>> userPrincipalName: testuser at lan.dasz.at
>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=lan,DC=dasz,DC=at
>>> pwdLastSet: 130307054090000000
>>> userAccountControl: 512
>>> objectClass: top
>>> objectClass: posixAccount
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> whenChanged: 20140214120810.0Z
>>> uSNChanged: 3891
>>> distinguishedName: CN=testuser,CN=Users,DC=lan,DC=dasz,DC=at
>>> 
>>> root at samba:/etc/samba#
> 
> This user was created with samba-tool, you can use samba-tool to add the uidNumber & gidNumber when you create the user, try 'samba-tool user create --help'. The group you use must also have a gidNumber, you will have to add this with an .ldif file.
> 
> Rowland
>> 
>> Somehow I think I got sidetracked somewhere, but don't know how to recover.
>> 
>> I'd be glad for any help or hint.
>> 
>> 
>> Thanks, David
> 