[Samba] Winbind/LDAP Backend question

Nik Reiman nik at aboleo.net
Thu Jun 24 21:04:04 GMT 2004

Recently, I've spent the last few days trying to get some unix client 
boxes to authenticate logins via winbind, so all of our unix system 
accounts can be maintained from active directory.  So far, everything 
is working, and users can authenticate into the system, but they are 
assigned random uid/gid values, based on the smb.conf as well as the 
internal winbind_idmap.tdb file.
Anyways, since users' home directories are in NFS, the uid/gid need to 
be uniform across the network, which is where ldap comes in.  So, we 
added a set of schema to active directory in windows, and now every 
user has two new fields, uidNumber and gidNumber.  The only thing I 
need to do now is somehow get samba to get this information out of the 
AD via LDAP, and use it rather than letting samba make its own uid 
I set up samba with all the relevant details of how to contact our AD 
server with LDAP (I should note that I can browse the uidNumber and 
gidNumber fields from a command line in unix with the ldapsearch tool). 
  However, for whatever reason, samba can't seem to authenticate this 
way, and no information gets dumped to the error logs.  Here's the 
smb.conf I've been working with:

         workgroup = WORKGROUP
         security = DOMAIN
         log level = 10
         log file = /var/adm/samba.log
         local master = No
         domain master = No
         wins server = leviathan
         ldap server = zurg
         ldap suffix = dc=example,dc=com
         ldap user suffix = ou=Employees
         ldap group suffix = ou=Groups
         ldap filter = (uidNumber=%u)
         ldap admin dn = cn=Administrator,cn=Users,dc=example,dc=com
         ldap ssl = no
         idmap backend = ldap:ldap://zurg
         idmap uid = 1000-2000
         idmap gid = 600-1000
         template primary group = employee
         template homedir = /home/%U
         template shell = /bin/bash
         winbind use default domain = Yes

Here, zurg is our AD server (running windows 2003 server).  The only 
thing that I can think of that might be bad is that it won't allow 
anonymous binds... yet I haven't seen any place to put in a bind 
password for LDAP.  Does anyone know how I might be able to get this up 
and running?


// Nik Reiman || nik at aboleo.net || http://www.aboleo.net \\

More information about the samba mailing list