[Samba] Re: ldapsearch and getent passd/group with nss winbind
roamdad at sonic.net
Sun Aug 24 10:58:25 GMT 2008
Andreas Ladanyi wrote:
> Hay Jerry,
> Gerald (Jerry) Carter schrieb:
>> Andreas Ladanyi wrote:
>>> Ok ! Could it be true this behavior is different between
>>> "security=domain" and "security=ads" ?
>>> Because we had to put the user to the group:
>>> - first on windows side in ActiveFirectory
>>> - second on unix site in AD in the tab "Members of"
>>> so winbind 3.0.24 client recognise the group membership on unix side
>>> in "security=domain" mode.
>>> Now we changed to Samba 3.0.31 with security=ads mode and the
>>> behavior is a bit different.
>> You lost me here. Maybe due to the fact that I accustomed
>> to the Windows 2003 R2 Unix Attribute tab. The only member
>> of tab I see is to control the Windows group memberships.
> The reason of my message is a litte confusion:
> In general you are right ;-)
Good thing too, because he's one of the primary samba developers =-O
> There is one "UNIX attribute" tab and one "Members Of" tab.
> During some tests we discover the following facts
> In "UNIX attribute" tab:
> winbind is only interested in the UID field ->
> in ldap tree the attribute "uidnumber".
If you're talking SFU, it doesn't use uidnumber. It uses attribute
msSFU30UidNumber and displays UID on the Unix Attributes tab.
I don't have a Windows 2003 R2 for comparison. Are you really using SFU
(Services For Unix 3.0) or do you have the newer 2003 R2?
> The other attributes from "UNIX attribute" tab are written to ldap
> tree, but not used by winbind on linux side.
> For example we set the following parameter in smb.conf:
> winbind nss info = sfu
> Of course we could define our own template bash/home with the
> "template home" and "template shell" parameter, but its better the
> "sfu" will work, so we would configure this parameter by the tab.
Winbind only uses this parameter when it creates a Unix account. Which
shouldn't happen for your AD domain members if your AD is mapped correctly.
> The "primary Group" is written to the ldap tree but not used by
> winbind on the unix side.
# net ads testjoin
Join is OK
# wbinfo -i forest\\jdoe
# getent passwd|grep jdoe
# getent group|grep 100
You can set the value msSFU30Gecos and winbind will report it, otherwise
"Display Name" is used.
> In "Members Of" tab:
> In this tab you can choose a group from a list and there is a button
> you could set a Unix primary group by klicking. This will be read by
> winbind only. But this have no force to the primary group ID on the
> "UNIX attribute" tab.
> What do you say ? Did we configure something wrong ? Is this the
> normal function ?
I needed to use the "idmap config" values:
idmap domains = FOREST
idmap config FOREST:readonly = yes
idmap config FOREST:backend = ad
idmap config FOREST:range = 0 - 29999
idmap config FOREST:schema_mode = sfu
idmap alloc backend = tdb
idmap alloc config:range = 50000-50999
and of course in nsswitch.conf:
passwd: compat winbind
group: compat winbind
some people like to use "files" instead of "compat", but that's about
NIS semantics and doesn't matter to winbind.
More information about the samba