[Samba] Re: ldapsearch and getent passd/group with nss winbind differs

Doug VanLeuven roamdad at sonic.net
Mon Aug 25 08:55:30 GMT 2008

Andreas Ladanyi wrote:
>>> There is one "UNIX attribute" tab and one "Members Of" tab.
>>> During some tests we discover the following facts
>>> =================================================
>>> In "UNIX attribute" tab:
>>> ========================
>>> winbind is only interested in the UID field ->
>>> in ldap tree the attribute "uidnumber".
>> If you're talking SFU, it doesn't use uidnumber.  It uses attribute 
>> msSFU30UidNumber and displays UID on the Unix Attributes tab.
>> I don't have a Windows 2003 R2 for comparison.  Are you really using 
>> SFU (Services For Unix 3.0) or do you have the newer 2003 R2?
> I use 2003 R2 and did install the "Unix plugin" for AD schemata 
> extension from Windows component setup.
OK.  You probably have the rfc2307 attributes.

>From rfc2307:
2.2. Attributes

   The attributes and classes defined in this document are summarized

   The following attributes are defined in this document:

           ...(more attributes)...
This isn't "winbind nss info = sfu template", it's "nss info = rfc2307 template"
SFU is strictly for MS (c) Services for Unix which added alien attribute names to the tree.
SFU attributes are named thus:

If I remember the idmap_ad code correctly, idmap_ad queries for each style attribute
and remembers what it finds.  For basic samba functionality, you don't
need to know your windows schema extension.  The winbind nss plugin will care though.

Winbind will pick up the uidNumber for users and the gidNumber for groups
but group membership will be determined by the windows group membership.
The gid numbers of the windows groups will come from your unix tab.
Put another way, winbind will lookup the SIDs of your windows group membership
and lookup the gidNumber attribute for those SIDs.
You only have to synchronize the unix tab group membership if you are using
the windows NFS server.  Windows will use those numbers when it exports NFS
shares and sets NFS acls.
I used perl LDAP scripting to check the synchronization, because I needed
NFS shares in windows and wanted the acl permissions consistent.

>>> The other attributes from "UNIX attribute" tab are written to ldap 
>>> tree, but not used by winbind on linux side.
>>> For example we set the following parameter in smb.conf:
>>> winbind nss info = sfu
>>> Of course we could define our own template bash/home with the 
>>> "template home" and "template shell" parameter, but its better the 
>>> "sfu" will work, so we would configure this parameter by the tab.
>> Winbind only uses this parameter when it creates a Unix account.  
>> Which shouldn't happen for your AD domain members if your AD is 
>> mapped correctly.
> winbind uses this parameter only if "it" creates a unix account ? In 
> case if i create a unix account with "adduser" on terminal ?
> The mapping seems to be correctly if i have a look at "getent passwd + 
> getent group"
>>> The "primary Group" is written to the ldap tree but not used by 
>>> winbind on the unix side.
> I meant the "primary Group" text field from:
> "UNIX attribute" tab
> seems to be NOT used by winbind.
> The "primary group" which you can set:
> by clicking the button "primary group" in "Members Of" tab
> IS USED by winbind perfectly.
> Iam sorry if my explanation wasnt clear at my last posting.
>> # net ads testjoin
>> Join is OK
>> # wbinfo -i forest\\jdoe
>> FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
>> # getent passwd|grep jdoe
>> FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
>> # getent group|grep 100
>> FOREST\domain users:x:100:
>> You can set the value msSFU30Gecos and winbind will report it, 
>> otherwise "Display Name" is used.
>>> In "Members Of" tab:
>>> ====================
>>> In this tab you can choose a group from a list and there is a button 
>>> you could set a Unix primary group by klicking. This will be read by 
>>> winbind only. But this have no force to the primary group ID on the 
>>> "UNIX attribute" tab.
>>> What do you say ? Did we configure something wrong ? Is this the 
>>> normal function ?
>> I needed to use the "idmap config" values:
>>        idmap domains = FOREST
>>        idmap config FOREST:readonly = yes
>>        idmap config FOREST:backend = ad
>>        idmap config FOREST:range = 0 - 29999
>>        idmap config FOREST:schema_mode = sfu
>>        idmap alloc backend = tdb
>>        idmap alloc config:range = 50000-50999
>> and of course in nsswitch.conf:
>> passwd: compat winbind
>> group:  compat winbind
>> some people like to use "files" instead of "compat", but that's about 
>> NIS semantics and doesn't matter to winbind.
>  winbind separator = /
>  winbind enum users = yes
>  winbind enum groups = yes
>  winbind cache time = 60
>  idmap backend = ad
>  idmap uid = 6000-27000
>  idmap gid = 600-7000
>  template shell = /bin/bash
>  template homedir = /home/%U
>  winbind use default domain = yes
>  winbind refresh tickets = yes
>  allow trusted domains = yes
>  winbind nss info =  sfu  template
Should probably be winbind nss info =  rfc2307  template
FYI, you've specified the older idmap syntax.
Refer to idmap_ad in the samba docs for the new syntax.
The newer syntax allows you to breakup the uid/gid numbes into ranges 
to different domains and local allocation.
I've always referred to Simo's paper:
> My nsswitch.conf is like yours.
> We want to use the "compat" mode because we hope we could exclude some 
> users for login. This isnt possible to winbind ?!
No.  Not with NIS semantics.  There are other mechanisms used.  None of 
which I'm
very familiar with.
> Alternatively i know pam_require. Do you know an opportunity to do 
> this task ?
No.  I hope I never have to specify a Pam config from scratch.
> Is there a part of documentation where the ldap attributes are shown 
> which are used by winbind ? Or do i have to look up this at source 
> code :-)
The manpage for idmap_ad:

Really, winbind only cares about the passwd related fields.
name and password come from pre2000 name and windows password.

The rfc2307 specs from ietf.org:
> Thanks a lot for your posting,
You're welcome.


More information about the samba mailing list