[Samba] RFC2307, AD, and Samba 3.6
steve
steve at steve-ss.com
Sun Aug 12 08:17:10 MDT 2012
On 12/08/12 15:26, Gémes Géza wrote:
> Hi,
>> Hi all,
>>
>> I'm still struggling with getting samba 3.6 to use the uids and gids
>> from my Active Directory 2008 R2 setup. I can see the users, I just
>> can't get their UIDs mapped onto my linux machine.
>>
>> I've configured AD to use it's "services for unix" feature, and
>> through that, I got a "Unix Attributes" tab where I could enter fields
>> like uid, home dir, shell, and primary GID.
>>
>> My few questions:
>>
>> 1. Am I supposed to configure Samba to use rfc2307, or sfu?
>> 2. As you can see in my config, below, I've configured an idmap range
>> for the AD domain. It seems to be ignored, and instead, my users get
>> placed in the wildcard domain's idmap range.
>> 3. I found some advice (don't remember where) to try to delete these
>> files when I change this part of my config:
>> /var/run/samba/gencache*
>> /var/cache/samba/winbindd_cache.tdb
>> /var/lib/samba/winbindd_idmap.tdb
>> Any thoughts about the need/value to delete these temp files is
>> appreciated.
>> 4. Finally, does anyone have suggestions of other things I can try?
>>
>> thanks very much.
>>
>> best,
>> -Nick
> According to man idmap_ad you should have a generic idmap backend line
> as well, like:
>
> idmap backend = tdb
> idmap uid range = some uninteresting range
> idmap gid range = some uninteresting range
>
S3.6 complains about deprecation here and only accepts the gid range.
> I've wrote uninteresting range, because you should specify a range you
> haven't placed you users via ADUC
>> [global] (from my smb.conf)
>> workgroup = CORP
>> server string = %h server (Samba, Ubuntu)
>>
>> security = ADS
>> realm = CORP.xxx.COM
>> allow trusted domains = yes
>> winbind use default domain = yes
>> winbind nested groups = YES
>> winbind nested groups = YES
>> winbind enum groups = yes
>> winbind enum users = yes
>> winbind nss info = rfc2307
>> winbind refresh tickets = yes
>> idmap config CORP : backend = ad
>> idmap config CORP : schema_mode = rfc2307
>> #idmap config CORP : range = 1000 - 99999
>> idmap config * : default = yes
>> #idmap config * : backend = tdb
>> #idmap config * : range = 100000 - 199999
>> idmap config * : range = 900 - 1999
>>
>> encrypt passwords = true
>>
>> obey pam restrictions = yes
>> client use spnego = yes
>> client ntlmv2 auth = yes
>> encrypt passwords = true
>> restrict anonymous = 2
>>
>> When I perform an ldapsearch against my server, I see these
>> attributes, among others:
>>
>> msSFU30Name: nick
>> msSFU30NisDomain: corp
>> uidNumber: 1001
>> gidNumber: 1000
>> unixHomeDirectory: /home/nick
>> loginShell: /bin/bash
>>
> Regards
>
> Geza
Hi
Here is a 3.6.3 config that works against Samba4 AD. There is no need
for m$ sfu. 2008 R2 and Samba4 both allow full rfc2307 out of the box:
[global]
realm = polop.site
workgroup = ALTEA
security = ADS
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-4000
idmap config ALTEA:backend = ad
idmap config ALTEA:range = 20000-40000000
idmap config ALTEA:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
#winbind use default domain = Yes
HTH
Cheers,
Steve
More information about the samba
mailing list