[Samba] Samba 4, Winbind & RFC2307

Thomas Simmons twsnnva at gmail.com
Sun Dec 16 14:51:46 MST 2012

Hello Andrew,

If functionality is not there, I certainly understand and can work around
it. I just want to make sure I am not misunderstanding something.

When you say I should set "idmap_ldb:use rfc2307=yes" in smb.conf on the
DC, do you mean that by doing so I can use winbind (and the rfc2307
attributes) for *nix authentication on the DC? I am confused because I
already have "idmap_ldb:use rfc2307 = yes" in my smb.conf (it gets added
automatically with the classicupgrade and I always provision my "clean"
test setup with "--use-rfc2307"). That actually works fine - the rfc2307
attributes are there and I can modify them in ADUC. If I configure the
server to use NSS+LDAP for authentication, my users's uid number, gid
number, shell, etc are what I have specified in ADUC. When I try using
winbind, it is not using the rfc2307 information from AD. Initially,
 "idmap_ldb:use rfc2307 = yes" was the only idmap related entry in my
smb.conf. When that did not work I tried a bunch of other "idmap config
DOMAIN" settings.

Again, if this simply does not work at this time, I can use NSS and LDAP
for logins on my DCs. With my S3 setup, I've always used LDAP for auth on
*nix systems and am not terribly familiar with winbind, so I just want to
make sure I'm not missing something. My next test will be setting up a
member server. Can you tell me what entries I will need in my smb.conf to
have winbind use the rfc2307 information from my S4 DC on member servers?

Thank you for your help!

On Sun, Dec 16, 2012 at 4:04 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Sun, 2012-12-16 at 12:23 -0500, Thomas Simmons wrote:
> > Hello Takahashi,
> >
> > I am using ADUC to manage UNIX attributes and have created the attributes
> > for each test user.
> >
> > Just to make sure I understand you correctly; you're saying there is no
> way
> > to have S4 winbind use rfc2307 attributes for *nix authentication on a
> DC,
> > but it will work on a member server? This is a "clean" provision test
> setup
> > that I am running at home. In production (and testing at work) I will be
> > performing a classicupgrade. I have 300+ users with existing accounts
> > spread out across many servers. S3 (or it's LDAP backend) is used for
> auth
> > & auth on all of our services, so I need to ensure these attributes stay
> > the same. Worst case I can use NSS+LDAP, but I would prefer to use
> winbind
> > if possible.
> >
> > Here I have NSS+LDAP configured and getent reports the correct uidNumber
> > and gidNumber that I have specified in AD (rfc2307 attributes):
> >
> > root at ALW1:~# getent passwd | grep tuser
> > tuser1:*:10005:10000:Test User1:/home/tuser1:/bin/sh
> > tuser2:*:10006:10000:Test User2:/home/tuser2:/bin/sh
> > tuser3:*:10007:10000:Test User3:/home/tuser3:/bin/sh
> >
> > Here (DC) I am using winbind for authentication, and getent does not
> report
> > the correct uidNumber and gidNumber:
> >
> > [root at ADC1 ~]# getent passwd | grep tuser
> > TESTDOM\tuser1:*:3000025:100:Test User1:/home/tuser1:/bin/sh
> > TESTDOM\tuser2:*:3000026:100:Test User2:/home/tuser2:/bin/sh
> > TESTDOM\tuser3:*:3000027:100:Test User3:/home/tuser3:/bin/sh
> On the DC, set:
> idmap_ldb:use rfc2307=yes
> We realise that having the different behaviour between the DC and the
> member server is very annoying, but we have not had the resources to
> rework this area of the codebase quite yet.
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list