[Samba] Enabling 'idmap backend = ad' for user auth
McGlorfin
mcglorfin at yahoo.com
Fri Feb 3 01:01:38 GMT 2006
I'm using Samba 3.0.21a on Fedora Core 3 to authenticate against an AD
domain. The box running AD is Win2k3 R2, so AD has the RFC2207 schema
extensions applied.
I've successfully configured Fedora to do auth through winbind with the
normal backend (using uid/gid mappings). Now I'd like to reconfig to use
AD as the backend.
I was able to do this against a pre-R2 Win2k3 server with SFU extensions
applied to AD. Now I'm working with R2.
I've followed the examples in the man pages and the HOW-TO doc
(specifically
http://us5.samba.org/samba/docs/man/Samba3-HOWTO/idmapper.html#idmapadsdms),
but without success. I've tried various permutations of: restarting the
Samba processes, leaving and rejoining the domain, tweaking various
smb.conf parameters, and wiping out the various *.tdb files. No go.
Another data point: "wbinfo -t" succeeds, but "wbinfo -u" fails.
root# wbinfo -u
Error looking up domain users
I'm pretty sure there's an error in my smb.conf. (What else could it
be?) Here are the relevant entries from the global section:
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
security = ADS
idmap backend = ad
idmap uid = 300000-30000000
idmap gid = 300000-30000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind separator = \
winbind cache time = 300
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
winbind trusted domains only = Yes
winbind nested groups = Yes
winbind nss info = template, sfu
Thanks in advance for any insight you can offer.
-McG
More information about the samba
mailing list