[Samba] Re: ldapsearch and getent passd/group with nss winbind differs

Doug VanLeuven roamdad at sonic.net
Sun Aug 24 10:58:25 GMT 2008

Andreas Ladanyi wrote:
> Hay Jerry,
> Gerald (Jerry) Carter schrieb:
>> Andreas Ladanyi wrote:
>>> Ok ! Could it be true this behavior is different between
>>> "security=domain" and "security=ads" ?
>>> Because we had to put the user to the group:
>>> - first on windows side in ActiveFirectory
>>> - second on unix site in AD in the tab "Members of"
>>> so winbind 3.0.24 client recognise the group membership on unix side 
>>> in "security=domain" mode.
>>> Now we changed to Samba 3.0.31 with security=ads mode and the 
>>> behavior is a bit different.
>> You lost me here.  Maybe due to the fact that I accustomed
>> to the Windows 2003 R2 Unix Attribute tab.  The only member
>> of tab I see is to control the Windows group memberships.
> The reason of my message is a litte confusion:
> In general you are right ;-)
Good thing too, because he's one of the primary samba developers =-O

> There is one "UNIX attribute" tab and one "Members Of" tab.
> During some tests we discover the following facts
> =================================================
> In "UNIX attribute" tab:
> ========================
> winbind is only interested in the UID field ->
> in ldap tree the attribute "uidnumber".
If you're talking SFU, it doesn't use uidnumber.  It uses attribute 
msSFU30UidNumber and displays UID on the Unix Attributes tab.
I don't have a Windows 2003 R2 for comparison.  Are you really using SFU 
(Services For Unix 3.0) or do you have the newer 2003 R2?
> The other attributes from "UNIX attribute" tab are written to ldap 
> tree, but not used by winbind on linux side.
> For example we set the following parameter in smb.conf:
> winbind nss info = sfu
> Of course we could define our own template bash/home with the 
> "template home" and "template shell" parameter, but its better the 
> "sfu" will work, so we would configure this parameter by the tab.
Winbind only uses this parameter when it creates a Unix account.  Which 
shouldn't happen for your AD domain members if your AD is mapped correctly.
> The "primary Group" is written to the ldap tree but not used by 
> winbind on the unix side.
 # net ads testjoin
Join is OK

 # wbinfo -i forest\\jdoe
FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
 # getent passwd|grep jdoe
FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash

 # getent group|grep 100
FOREST\domain users:x:100:

You can set the value msSFU30Gecos and winbind will report it, otherwise 
"Display Name" is used.

> In "Members Of" tab:
> ====================
> In this tab you can choose a group from a list and there is a button 
> you could set a Unix primary group by klicking. This will be read by 
> winbind only. But this have no force to the primary group ID on the 
> "UNIX attribute" tab.
> What do you say ? Did we configure something wrong ? Is this the 
> normal function ?
I needed to use the "idmap config" values:
        idmap domains = FOREST
        idmap config FOREST:readonly = yes
        idmap config FOREST:backend = ad
        idmap config FOREST:range = 0 - 29999
        idmap config FOREST:schema_mode = sfu

        idmap alloc backend = tdb
        idmap alloc config:range = 50000-50999

and of course in nsswitch.conf:
passwd: compat winbind
group:  compat winbind

some people like to use "files" instead of "compat", but that's about 
NIS semantics and doesn't matter to winbind.

Regards, Doug

More information about the samba mailing list