[Samba] AD Integration woes - rfc2307 data not being honored
Matthew J. Salerno
vagabond_king at yahoo.com
Sat Oct 10 09:28:17 MDT 2009
----- Original Message ----
From: Andreas Zickner <andreas at zickner.de>
To: Matthew J. Salerno <Vagabond_king at yahoo.com>
Cc: samba at lists.samba.org
Sent: Sat, October 10, 2009 8:05:25 AM
Subject: Re: [Samba] AD Integration woes - rfc2307 data not being honored
Hi,
which AD (exact version) are you using 2003 (without R2?) Did you try different AD versions?
Did you install SFU3.5?
there are a couple of differences in the schema and I don't know how to configure winbind in regards to the mapping of attributes (like in nss_ldap or ldapux)
Matthew J. Salerno wrote:
> Red Hat Enterprise Linux Server release 5.2 (Tikanga) - x86_64
> Samba - 3.0.28-0.el5.8
>
> Objective: To have samba authenticate against AD and utilize the values set for the AD rfc2307 schema.
> Problem: Values stored in AD are not being used.
>
> The samba server has successfully joined the AD, but when I do a getent passwd | grep <user> the uid, none of the values returned match what is stored in AD. The UidNumber for my account in AD is 20045, but I keep getting 1000195. I'm not so worried about the unixHomeDirectory or loginShell, it would be nice to get them, but the UID is a must.
>
> TESTDOMAIN+username:*:1000195:1000000:User Info:/home/TESTDOMAIN/username:/bin/bash
>
> Everytime I make any changes to the config, I always clean up and rejoin the domain:
>
> rm -f /var/log/samba/*.tdb && rm -f /etc/samba/*tdb && rm -f /var/cache/samba/* && rm -f /var/log/samba/*
> service smb restart && service winbind restart
>
> Any help would be greatly appreciated.
>
> Here is my smb.conf
>
> [global]
> workgroup = TESTDOMAIN
> realm = TESTDOMAIN.NET
> server string = Samba file and print server
> security = ADS
> log level = 3
> log file = /var/log/samba/%m
> max log size = 200
> printcap name = cups
> preferred master = No
> idmap backend = tdb
> idmap cache time = 1800
> idmap uid = 1000000-1999999
> idmap gid = 1000000-1999999
> template shell = /bin/bash
> winbind separator = +
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nss info = rfc2307, template
> winbind refresh tickets = Yes
> idmap config TESTDOMAIN:cache time = 1800
> idmap config TESTDOMAIN:range = 1000-999999
> idmap config TESTDOMAIN:backend = ad
> idmap config TESTDOMAIN:schema_mode = rfc2307
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> browseable = No
> [printers]
> comment = All Printers
> guest ok = Yes
> printable = Yes
> browseable = No
> available = No
>
>
>
-- Andreas Zickner
Gotenstr. 2 - 71065 Sindelfingen - andreas at zickner.de - 015771968553
==
Es ist ein Unterschied ob man seinen Weg kennt ...
... oder ob man ihn beschreitet
Actually, the schema I am working with has been extended for both
methods! (Before I arrived). The plan is to use rfc2307 - win2k3r2.
Regarding where I got those settings, I have read countless man pages, howto's,
wiki's and forum threads to put it all together. The main issue is the fact that I am using
an oldish version of samba, and since the release of 3.3.x I believe
things have gotten much easier, have you tried adex?. Check out:
http://samba.org/samba/docs/man/manpages-3/idmap_adex.8.html
Other points of reference:
http://samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
The only issue I have with having to use the ldap backend is the fact that I would need to hardcode the ldap server. With winbind, all you need to supply is the realm & domain, then winbind takes care of which server to connect to, so it wont be limited to 1 server.
Let me know if you make any progress.
Thanks
More information about the samba
mailing list