[Samba] Samba 4, Winbind & RFC2307

Andrew Bartlett abartlet at samba.org
Sun Dec 16 14:04:00 MST 2012

On Sun, 2012-12-16 at 12:23 -0500, Thomas Simmons wrote:
> Hello Takahashi,
> I am using ADUC to manage UNIX attributes and have created the attributes
> for each test user.
> Just to make sure I understand you correctly; you're saying there is no way
> to have S4 winbind use rfc2307 attributes for *nix authentication on a DC,
> but it will work on a member server? This is a "clean" provision test setup
> that I am running at home. In production (and testing at work) I will be
> performing a classicupgrade. I have 300+ users with existing accounts
> spread out across many servers. S3 (or it's LDAP backend) is used for auth
> & auth on all of our services, so I need to ensure these attributes stay
> the same. Worst case I can use NSS+LDAP, but I would prefer to use winbind
> if possible.
> Here I have NSS+LDAP configured and getent reports the correct uidNumber
> and gidNumber that I have specified in AD (rfc2307 attributes):
> root at ALW1:~# getent passwd | grep tuser
> tuser1:*:10005:10000:Test User1:/home/tuser1:/bin/sh
> tuser2:*:10006:10000:Test User2:/home/tuser2:/bin/sh
> tuser3:*:10007:10000:Test User3:/home/tuser3:/bin/sh
> Here (DC) I am using winbind for authentication, and getent does not report
> the correct uidNumber and gidNumber:
> [root at ADC1 ~]# getent passwd | grep tuser
> TESTDOM\tuser1:*:3000025:100:Test User1:/home/tuser1:/bin/sh
> TESTDOM\tuser2:*:3000026:100:Test User2:/home/tuser2:/bin/sh
> TESTDOM\tuser3:*:3000027:100:Test User3:/home/tuser3:/bin/sh

On the DC, set:

idmap_ldb:use rfc2307=yes

We realise that having the different behaviour between the DC and the
member server is very annoying, but we have not had the resources to
rework this area of the codebase quite yet.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list