[Samba] RFC2307, AD, and Samba 3.6

steve steve at steve-ss.com
Sun Aug 12 08:17:10 MDT 2012 

On 12/08/12 15:26, Gémes Géza wrote:
> Hi,
>> Hi all,
>>
>> I'm still struggling with getting samba 3.6 to use the uids and gids
>> from my Active Directory 2008 R2 setup. I can see the users, I just
>> can't get their UIDs mapped onto my linux machine.
>>
>> I've configured AD to use it's "services for unix" feature, and
>> through that, I got a "Unix Attributes" tab where I could enter fields
>> like uid, home dir, shell, and primary GID.
>>
>> My few questions:
>>
>> 1. Am I supposed to configure Samba to use rfc2307, or sfu?
>> 2. As you can see in my config, below, I've configured an idmap range
>> for the AD domain. It seems to be ignored, and instead, my users get
>> placed in the wildcard domain's idmap range.
>> 3. I found some advice (don't remember where) to try to delete these
>> files when I change this part of my config:
>>     /var/run/samba/gencache*
>>     /var/cache/samba/winbindd_cache.tdb
>>     /var/lib/samba/winbindd_idmap.tdb
>>      Any thoughts about the need/value to delete these temp files is
>> appreciated.
>> 4. Finally, does anyone have suggestions of other things I can try?
>>
>> thanks very much.
>>
>> best,
>> -Nick
> According to man idmap_ad you should have a generic idmap backend line
> as well, like:
>
> idmap backend = tdb
> idmap uid range = some uninteresting range
> idmap gid range = some uninteresting range
>

S3.6 complains about deprecation here and only accepts the gid range.

> I've wrote uninteresting range, because you should specify a range you
> haven't placed you users via ADUC
>> [global]   (from my smb.conf)
>>     workgroup = CORP
>>     server string = %h server (Samba, Ubuntu)
>>
>>     security = ADS
>>     realm = CORP.xxx.COM
>>     allow trusted domains = yes
>>     winbind use default domain = yes
>>     winbind nested groups = YES
>>     winbind nested groups = YES
>>     winbind enum groups = yes
>>     winbind enum users = yes
>>     winbind nss info = rfc2307
>>     winbind refresh tickets = yes
>>     idmap config CORP : backend = ad
>>     idmap config CORP : schema_mode = rfc2307
>>     #idmap config CORP : range = 1000 - 99999
>>     idmap config * : default = yes
>>     #idmap config * : backend = tdb
>>     #idmap config * : range = 100000 - 199999
>>     idmap config * : range = 900 - 1999
>>
>>     encrypt passwords = true
>>
>>     obey pam restrictions = yes
>>     client use spnego = yes
>>     client ntlmv2 auth = yes
>>     encrypt passwords = true
>>     restrict anonymous = 2
>>
>> When I perform an ldapsearch against my server, I see these
>> attributes, among others:
>>
>> msSFU30Name: nick
>> msSFU30NisDomain: corp
>> uidNumber: 1001
>> gidNumber: 1000
>> unixHomeDirectory: /home/nick
>> loginShell: /bin/bash
>>
> Regards
>
> Geza

Hi
Here is a 3.6.3 config that works against Samba4 AD. There is no need 
for m$ sfu. 2008 R2 and Samba4 both allow full rfc2307 out of the box:

[global]
realm = polop.site
workgroup = ALTEA
security = ADS
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-4000
idmap config ALTEA:backend = ad
idmap config ALTEA:range = 20000-40000000
idmap config ALTEA:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
#winbind use default domain = Yes

HTH
Cheers,
Steve

More information about the samba mailing list