[Samba] Re: ldapsearch and getent passd/group with nss winbind
knuffiandy at web.de
Tue Aug 26 18:48:32 GMT 2008
i read your mail intently and would thank you for your detailed
I would change the parameter you suggest and would do some more tests to
verify for my comprehension.
Doug VanLeuven schrieb:
> Andreas Ladanyi wrote:
>>>> There is one "UNIX attribute" tab and one "Members Of" tab.
>>>> During some tests we discover the following facts
>>>> In "UNIX attribute" tab:
>>>> winbind is only interested in the UID field ->
>>>> in ldap tree the attribute "uidnumber".
>>> If you're talking SFU, it doesn't use uidnumber. It uses attribute
>>> msSFU30UidNumber and displays UID on the Unix Attributes tab.
>>> I don't have a Windows 2003 R2 for comparison. Are you really using
>>> SFU (Services For Unix 3.0) or do you have the newer 2003 R2?
>> I use 2003 R2 and did install the "Unix plugin" for AD schemata
>> extension from Windows component setup.
> OK. You probably have the rfc2307 attributes.
>> From rfc2307:
> 2.2. Attributes
> The attributes and classes defined in this document are summarized
> The following attributes are defined in this document:
> ...(more attributes)...
> This isn't "winbind nss info = sfu template", it's "nss info = rfc2307
> SFU is strictly for MS (c) Services for Unix which added alien attribute
> names to the tree.
> SFU attributes are named thus:
> If I remember the idmap_ad code correctly, idmap_ad queries for each
> style attribute
> and remembers what it finds. For basic samba functionality, you don't
> need to know your windows schema extension. The winbind nss plugin will
> care though.
> Winbind will pick up the uidNumber for users and the gidNumber for groups
> but group membership will be determined by the windows group membership.
> The gid numbers of the windows groups will come from your unix tab.
> Put another way, winbind will lookup the SIDs of your windows group
> and lookup the gidNumber attribute for those SIDs.
> You only have to synchronize the unix tab group membership if you are using
> the windows NFS server. Windows will use those numbers when it exports NFS
> shares and sets NFS acls.
> I used perl LDAP scripting to check the synchronization, because I needed
> NFS shares in windows and wanted the acl permissions consistent.
>>>> The other attributes from "UNIX attribute" tab are written to ldap
>>>> tree, but not used by winbind on linux side.
>>>> For example we set the following parameter in smb.conf:
>>>> winbind nss info = sfu
>>>> Of course we could define our own template bash/home with the
>>>> "template home" and "template shell" parameter, but its better the
>>>> "sfu" will work, so we would configure this parameter by the tab.
>>> Winbind only uses this parameter when it creates a Unix account.
>>> Which shouldn't happen for your AD domain members if your AD is
>>> mapped correctly.
>> winbind uses this parameter only if "it" creates a unix account ? In
>> case if i create a unix account with "adduser" on terminal ?
>> The mapping seems to be correctly if i have a look at "getent passwd +
>> getent group"
>>>> The "primary Group" is written to the ldap tree but not used by
>>>> winbind on the unix side.
>> I meant the "primary Group" text field from:
>> "UNIX attribute" tab
>> seems to be NOT used by winbind.
>> The "primary group" which you can set:
>> by clicking the button "primary group" in "Members Of" tab
>> IS USED by winbind perfectly.
>> Iam sorry if my explanation wasnt clear at my last posting.
>>> # net ads testjoin
>>> Join is OK
>>> # wbinfo -i forest\\jdoe
>>> FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
>>> # getent passwd|grep jdoe
>>> FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
>>> # getent group|grep 100
>>> FOREST\domain users:x:100:
>>> You can set the value msSFU30Gecos and winbind will report it,
>>> otherwise "Display Name" is used.
>>>> In "Members Of" tab:
>>>> In this tab you can choose a group from a list and there is a button
>>>> you could set a Unix primary group by klicking. This will be read by
>>>> winbind only. But this have no force to the primary group ID on the
>>>> "UNIX attribute" tab.
>>>> What do you say ? Did we configure something wrong ? Is this the
>>>> normal function ?
>>> I needed to use the "idmap config" values:
>>> idmap domains = FOREST
>>> idmap config FOREST:readonly = yes
>>> idmap config FOREST:backend = ad
>>> idmap config FOREST:range = 0 - 29999
>>> idmap config FOREST:schema_mode = sfu
>>> idmap alloc backend = tdb
>>> idmap alloc config:range = 50000-50999
>>> and of course in nsswitch.conf:
>>> passwd: compat winbind
>>> group: compat winbind
>>> some people like to use "files" instead of "compat", but that's about
>>> NIS semantics and doesn't matter to winbind.
>> winbind separator = /
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind cache time = 60
>> idmap backend = ad
>> idmap uid = 6000-27000
>> idmap gid = 600-7000
>> template shell = /bin/bash
>> template homedir = /home/%U
>> winbind use default domain = yes
>> winbind refresh tickets = yes
>> allow trusted domains = yes
>> winbind nss info = sfu template
> Should probably be winbind nss info = rfc2307 template
> FYI, you've specified the older idmap syntax.
> Refer to idmap_ad in the samba docs for the new syntax.
> The newer syntax allows you to breakup the uid/gid numbes into ranges
> to different domains and local allocation.
> I've always referred to Simo's paper:
>> My nsswitch.conf is like yours.
>> We want to use the "compat" mode because we hope we could exclude some
>> users for login. This isnt possible to winbind ?!
> No. Not with NIS semantics. There are other mechanisms used. None of
> which I'm
> very familiar with.
>> Alternatively i know pam_require. Do you know an opportunity to do
>> this task ?
> No. I hope I never have to specify a Pam config from scratch.
>> Is there a part of documentation where the ldap attributes are shown
>> which are used by winbind ? Or do i have to look up this at source
>> code :-)
> The manpage for idmap_ad:
> Really, winbind only cares about the passwd related fields.
> name and password come from pre2000 name and windows password.
> The rfc2307 specs from ietf.org:
>> Thanks a lot for your posting,
> You're welcome.
More information about the samba