Rowland Penny repenny241155 at gmail.com
Fri Feb 14 10:09:03 MST 2014

On 14/02/14 15:33, Chan Min Wai wrote:
> Dear Rowland,
> Just to check.
> Can winbind just use the Sid (maybe the truncated Sid) from windows as the uid and Gid?
> Isn't that a much simpler approach?

The simplest approach is to add uidNumber's and gidNumber's to the users 
& groups in AD, then add the program that I am not allowed to talk 
about. This, with the AD builtin winbind, seems to work perfectly, you 
can set ACL's etc from a windows machine i.e. you can use the AD server 
as a fileserver, for storing home directories and profiles.


> Did we have a config for that?
> Thank you.
>> Rowland Penny <repenny241155 at gmail.com> 於 14/02/2014 9:05 PTG 寫道:
>>> On 14/02/14 12:24, David Schmitt wrote:
>>> Hi,
>>> I've followed http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO on a Debian testing machine and had good success in provisioning a domain.
>>> I've used --use-rfc2307 under the impression that this will allow me to use samba's ldap server and/or winbind to authenticate my linux clients. I've also had good success in using winbind to connect to the dc, including being able to kinit successfully on the domain member.
>>> Sadly, I then noticed that the posix attributes were not populated and clients (specifically dc and domain member) did not agree on the UIDs of users.
>> You have to add the uidNumber's & gidNumber's yourself
>>> I've tried to configure posix attributes by using ldapmodify, which worked only up to the point that the attributes were accepted by samba's ldap server, but the changes were not reflected in the actual responses in the system:
>>>> root at samba:/etc/samba# id testuser
>>>> uid=3000021(TEST\testuser) gid=100(users) groups=100(users)
>> This shows that you are using xidnumbers from idmap.ldb
>>>> root at samba:/etc/samba# ldapsearch -LLL -h localhost -p 389 -D "Administrator at LAN.DASZ.AT" -w ... -b "CN=testuser,CN=Users,DC=lan,DC=dasz,DC=at"
>>>> dn: CN=testuser,CN=Users,DC=lan,DC=dasz,DC=at
>>>> cn: testuser
>>>> instanceType: 4
>>>> whenCreated: 20131205082329.0Z
>>>> uSNCreated: 3784
>>>> name: testuser
>>>> objectGUID:: +4iQ6c5hXEacHox5tszkFg==
>>>> badPwdCount: 0
>>>> codePage: 0
>>>> countryCode: 0
>>>> badPasswordTime: 0
>>>> lastLogoff: 0
>>>> lastLogon: 0
>>>> primaryGroupID: 513
>>>> objectSid:: AQUAAAAAAAUVAAAAlmuaiI1gpj3YWL63UAQAAA==
>>>> accountExpires: 9223372036854775807
>>>> logonCount: 0
>>>> sAMAccountName: testuser
>>>> sAMAccountType: 805306368
>>>> userPrincipalName: testuser at lan.dasz.at
>>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=lan,DC=dasz,DC=at
>>>> pwdLastSet: 130307054090000000
>>>> userAccountControl: 512
>>>> objectClass: top
>>>> objectClass: posixAccount
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> whenChanged: 20140214120810.0Z
>>>> uSNChanged: 3891
>>>> distinguishedName: CN=testuser,CN=Users,DC=lan,DC=dasz,DC=at
>>>> root at samba:/etc/samba#
>> This user was created with samba-tool, you can use samba-tool to add the uidNumber & gidNumber when you create the user, try 'samba-tool user create --help'. The group you use must also have a gidNumber, you will have to add this with an .ldif file.
>> Rowland
>>> Somehow I think I got sidetracked somewhere, but don't know how to recover.
>>> I'd be glad for any help or hint.
>>> Thanks, David

More information about the samba-technical mailing list