[Samba] Re: ldapsearch and getent passd/group with nss winbind differs

Andreas Ladanyi knuffiandy at web.de
Tue Aug 26 18:48:32 GMT 2008

Hi Doug,

i read your mail intently and would thank you for your detailed 
illustration. ;-)

I would change the parameter you suggest and would do some more tests to 
verify for my comprehension.


Doug VanLeuven schrieb:
> Andreas Ladanyi wrote:
>>>> There is one "UNIX attribute" tab and one "Members Of" tab.
>>>> During some tests we discover the following facts
>>>> =================================================
>>>> In "UNIX attribute" tab:
>>>> ========================
>>>> winbind is only interested in the UID field ->
>>>> in ldap tree the attribute "uidnumber".
>>> If you're talking SFU, it doesn't use uidnumber.  It uses attribute 
>>> msSFU30UidNumber and displays UID on the Unix Attributes tab.
>>> I don't have a Windows 2003 R2 for comparison.  Are you really using 
>>> SFU (Services For Unix 3.0) or do you have the newer 2003 R2?
>> I use 2003 R2 and did install the "Unix plugin" for AD schemata 
>> extension from Windows component setup.
> OK.  You probably have the rfc2307 attributes.
>> From rfc2307:
> 2.2. Attributes
>   The attributes and classes defined in this document are summarized
>   below.
>   The following attributes are defined in this document:
>           uidNumber
>           gidNumber
>           gecos
>           homeDirectory
>           loginShell
>           ...(more attributes)...
> This isn't "winbind nss info = sfu template", it's "nss info = rfc2307 
> template"
> SFU is strictly for MS (c) Services for Unix which added alien attribute 
> names to the tree.
> SFU attributes are named thus:
>  msSFU30UidNumber
>  msSFU30GidNumber
>  msSFU30Gecos
>  msSFU30HomeDirectory
>  msSFU30LoginShell
> If I remember the idmap_ad code correctly, idmap_ad queries for each 
> style attribute
> and remembers what it finds.  For basic samba functionality, you don't
> need to know your windows schema extension.  The winbind nss plugin will 
> care though.
> Winbind will pick up the uidNumber for users and the gidNumber for groups
> but group membership will be determined by the windows group membership.
> The gid numbers of the windows groups will come from your unix tab.
> Put another way, winbind will lookup the SIDs of your windows group 
> membership
> and lookup the gidNumber attribute for those SIDs.
> You only have to synchronize the unix tab group membership if you are using
> the windows NFS server.  Windows will use those numbers when it exports NFS
> shares and sets NFS acls.
> I used perl LDAP scripting to check the synchronization, because I needed
> NFS shares in windows and wanted the acl permissions consistent.
>>>> The other attributes from "UNIX attribute" tab are written to ldap 
>>>> tree, but not used by winbind on linux side.
>>>> For example we set the following parameter in smb.conf:
>>>> winbind nss info = sfu
>>>> Of course we could define our own template bash/home with the 
>>>> "template home" and "template shell" parameter, but its better the 
>>>> "sfu" will work, so we would configure this parameter by the tab.
>>> Winbind only uses this parameter when it creates a Unix account.  
>>> Which shouldn't happen for your AD domain members if your AD is 
>>> mapped correctly.
>> winbind uses this parameter only if "it" creates a unix account ? In 
>> case if i create a unix account with "adduser" on terminal ?
>> The mapping seems to be correctly if i have a look at "getent passwd + 
>> getent group"
>>>> The "primary Group" is written to the ldap tree but not used by 
>>>> winbind on the unix side.
>> I meant the "primary Group" text field from:
>> "UNIX attribute" tab
>> seems to be NOT used by winbind.
>> The "primary group" which you can set:
>> by clicking the button "primary group" in "Members Of" tab
>> IS USED by winbind perfectly.
>> Iam sorry if my explanation wasnt clear at my last posting.
>>> # net ads testjoin
>>> Join is OK
>>> # wbinfo -i forest\\jdoe
>>> FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
>>> # getent passwd|grep jdoe
>>> FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
>>> # getent group|grep 100
>>> FOREST\domain users:x:100:
>>> You can set the value msSFU30Gecos and winbind will report it, 
>>> otherwise "Display Name" is used.
>>>> In "Members Of" tab:
>>>> ====================
>>>> In this tab you can choose a group from a list and there is a button 
>>>> you could set a Unix primary group by klicking. This will be read by 
>>>> winbind only. But this have no force to the primary group ID on the 
>>>> "UNIX attribute" tab.
>>>> What do you say ? Did we configure something wrong ? Is this the 
>>>> normal function ?
>>> I needed to use the "idmap config" values:
>>>        idmap domains = FOREST
>>>        idmap config FOREST:readonly = yes
>>>        idmap config FOREST:backend = ad
>>>        idmap config FOREST:range = 0 - 29999
>>>        idmap config FOREST:schema_mode = sfu
>>>        idmap alloc backend = tdb
>>>        idmap alloc config:range = 50000-50999
>>> and of course in nsswitch.conf:
>>> passwd: compat winbind
>>> group:  compat winbind
>>> some people like to use "files" instead of "compat", but that's about 
>>> NIS semantics and doesn't matter to winbind.
>>  winbind separator = /
>>  winbind enum users = yes
>>  winbind enum groups = yes
>>  winbind cache time = 60
>>  idmap backend = ad
>>  idmap uid = 6000-27000
>>  idmap gid = 600-7000
>>  template shell = /bin/bash
>>  template homedir = /home/%U
>>  winbind use default domain = yes
>>  winbind refresh tickets = yes
>>  allow trusted domains = yes
>>  winbind nss info =  sfu  template
> Should probably be winbind nss info =  rfc2307  template
> FYI, you've specified the older idmap syntax.
> Refer to idmap_ad in the samba docs for the new syntax.
> The newer syntax allows you to breakup the uid/gid numbes into ranges 
> allocated
> to different domains and local allocation.
> I've always referred to Simo's paper:
> http://www.samba.org/~idra/samba3_newidmap.pdf
>> My nsswitch.conf is like yours.
>> We want to use the "compat" mode because we hope we could exclude some 
>> users for login. This isnt possible to winbind ?!
> No.  Not with NIS semantics.  There are other mechanisms used.  None of 
> which I'm
> very familiar with.
>> Alternatively i know pam_require. Do you know an opportunity to do 
>> this task ?
> No.  I hope I never have to specify a Pam config from scratch.
>> Is there a part of documentation where the ldap attributes are shown 
>> which are used by winbind ? Or do i have to look up this at source 
>> code :-)
> The manpage for idmap_ad:
> http://us1.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
> Really, winbind only cares about the passwd related fields.
> uid,gid,gecos,homedir,shell
> name and password come from pre2000 name and windows password.
> The rfc2307 specs from ietf.org:
> http://www.ietf.org/rfc/rfc2307.txt
>> Thanks a lot for your posting,
> You're welcome.
> Doug

More information about the samba mailing list