[Samba] RFC2307, AD, and Samba 3.6

Nick Triantos nick at triantos.com
Sun Aug 12 12:49:33 MDT 2012


Thanks very much.

For some reason, this time, when I uncommented those idmap range lines, it all worked.

Steve, to use rfc2307 out of the box, how do I specify uids for my users? I installed sfu to get the tab in the Users & Computers where I could set stuff like shell, uid, etc.

thanks,
-Nick

On Aug 12, 2012, at 6:26 AM, Gémes Géza <geza at kzsdabas.hu> wrote:

> Hi,
>> Hi all,
>> 
>> I'm still struggling with getting samba 3.6 to use the uids and gids from my Active Directory 2008 R2 setup. I can see the users, I just can't get their UIDs mapped onto my linux machine.
>> 
>> I've configured AD to use it's "services for unix" feature, and through that, I got a "Unix Attributes" tab where I could enter fields like uid, home dir, shell, and primary GID.
>> 
>> My few questions:
>> 
>> 1. Am I supposed to configure Samba to use rfc2307, or sfu?
>> 2. As you can see in my config, below, I've configured an idmap range for the AD domain. It seems to be ignored, and instead, my users get placed in the wildcard domain's idmap range.
>> 3. I found some advice (don't remember where) to try to delete these files when I change this part of my config:
>> 	/var/run/samba/gencache*
>> 	/var/cache/samba/winbindd_cache.tdb
>> 	/var/lib/samba/winbindd_idmap.tdb
>>     Any thoughts about the need/value to delete these temp files is appreciated.
>> 4. Finally, does anyone have suggestions of other things I can try?
>> 
>> thanks very much.
>> 
>> best,
>> -Nick
> According to man idmap_ad you should have a generic idmap backend line as well, like:
> 
> idmap backend = tdb
> idmap uid range = some uninteresting range
> idmap gid range = some uninteresting range
> 
> I've wrote uninteresting range, because you should specify a range you haven't placed you users via ADUC
>> [global]   (from my smb.conf)
>>    workgroup = CORP
>>    server string = %h server (Samba, Ubuntu)
>> 
>>    security = ADS
>>    realm = CORP.xxx.COM
>>    allow trusted domains = yes
>>    winbind use default domain = yes
>>    winbind nested groups = YES
>>    winbind nested groups = YES
>>    winbind enum groups = yes
>>    winbind enum users = yes
>>    winbind nss info = rfc2307
>>    winbind refresh tickets = yes
>>    idmap config CORP : backend = ad
>>    idmap config CORP : schema_mode = rfc2307
>>    #idmap config CORP : range = 1000 - 99999
>>    idmap config * : default = yes
>>    #idmap config * : backend = tdb
>>    #idmap config * : range = 100000 - 199999
>>    idmap config * : range = 900 - 1999
>> 
>>    encrypt passwords = true
>> 
>>    obey pam restrictions = yes
>>    client use spnego = yes
>>    client ntlmv2 auth = yes
>>    encrypt passwords = true
>>    restrict anonymous = 2
>> 
>> When I perform an ldapsearch against my server, I see these attributes, among others:
>> 
>> msSFU30Name: nick
>> msSFU30NisDomain: corp
>> uidNumber: 1001
>> gidNumber: 1000
>> unixHomeDirectory: /home/nick
>> loginShell: /bin/bash
>> 
> Regards
> 
> Geza
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list