[Samba] AD Integration woes - rfc2307 data not being honored

Matthew J. Salerno vagabond_king at yahoo.com
Tue Oct 13 11:53:30 MDT 2009

----- Original Message ----
From: Andreas Zickner <andreas at zickner.de>
To: Matthew J. Salerno <Vagabond_king at yahoo.com>
Cc: samba at lists.samba.org
Sent: Sun, October 11, 2009 8:23:06 AM
Subject: Re: [Samba] AD Integration woes - rfc2307 data not being honored


I tired with Linux rh54 2.6.18-164.el5 smbd
Version 3.0.33-3.14.el5 using your settings. With the same result. I looked at the ldap communication and from there I can't see any things that are related to the rfc2307 / sfu attributes! So from the past I often found that it is a mapping issue. Here winbind /smb does not even search for the extended attributes!
I will do a second test with an own compiled version 3.4.2 later.


Matthew J. Salerno wrote:
> Actually, the schema I am working with has been extended for both
> methods! (Before I arrived).  The plan is to use rfc2307 - win2k3r2. Regarding where I got those settings, I have read countless man pages, howto's,
> wiki's and forum threads to put it all together.  The main issue is the fact that I am using
> an oldish version of samba, and since the release of 3.3.x I believe
> things have gotten much easier, have you tried adex?.  Check out:
> http://samba.org/samba/docs/man/manpages-3/idmap_adex.8.html
> Other points of reference:
> http://samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
> The only issue I have with having to use the ldap backend is the fact that I would need to hardcode the ldap server.  With winbind, all you need to supply is the realm & domain, then winbind takes care of which server to connect to, so it wont be limited to 1 server.
> Let me know if you make any progress.
> Thanks

I was able to get it working with the following configs:

# /etc/samba/smb.conf
        workgroup = TESTDOMAIN
        realm = TESTDOMAIN.NET
        server string = Samba file and print server
        security = ADS
        log level = 1
        max log size = 4192
        printcap name = cups
        preferred master = No
        idmap backend = tdb
        idmap alloc backend = tdb
        idmap alloc config:range = 5000 - 9999
        idmap cache time = 1800
        template shell = /bin/bash
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        idmap config TESTDOMAINN:cache time = 1800
        idmap config TESTDOMAIN:range = 20000-999999
        idmap config TESTDOMAIN:backend = ad
        idmap config TESTDOMAIN:schema_mode = rfc2307
        idmap domains = TESTDOMAIN
        idmap config TESTDOMAIN:default = yes
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No
        comment = All Printers
        guest ok = Yes
        printable = Yes
        browseable = No
        available = No

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 default_realm = TESTDOMAIN.NET
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 36000
 forwardable = yes
  kdc = *
  default_domain = TESTDOMAIN.NET
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false


More information about the samba mailing list