[Samba] winbind nss info = sfu is not so much working

[Jonathan C. Detert]

* Guenther Deschner <gd at samba.org> [060427 11:56]:
> On Thu, Apr 27, 2006 at 11:21:45AM -0500, Jonathan C. Detert wrote:
> > with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD
> > by using winbind for authentication as well as for the source of nss info.
> > 
> > When winbind is configured to use its own local id maps, everything
> > works fine.
> > 
> > But when i configure winbind to use 'ad' as the source of nss info,
> > authentication fails, 'getent' commands return no results, and
> > 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work
> > correctly).

-- snip --

> > And here is how smb.conf looks when winbind is configed to use AD for
> > nss:
> > --------------
> >    winbind enum groups = yes
> >    winbind enum users = yes
> >    winbind separator = +
> >    winbind nested groups = yes
> >    winbind nss info = sfu
> >    winbind use default domain = yes
> > 
> >    idmap backend = ad
> 
> You still need to have the idmap ranges set so that winbind does not fall
> into the "netlogon proxy only" mode. Does it work then?

Yes, thanks!  I don't understand that at all.  What is 'netlogon proxy only'
mose?

If winbind is mapping a sid to the uid/gid recorded in AD via the sfu
schema attributes, then why would I tell winbind what range it can use for
the uids and gids that it maps the sids to?

Also, what relationship do my idmap id ranges have to the actual values
in AD for the msSFU30UidNumber and msSFU30GidNumber attributes?  Do I
need to ensure that my idmap id ranges match the ranges of values used
in AD for msSFU30UidNumber and msSFU30GidNumber?

Thanks again!  This is good news.
-- 
Happy Landings,

Jon Detert
IT Systems Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.