[Samba] Samba 4, Winbind & RFC2307

Andrew Bartlett abartlet at samba.org
Sun Dec 16 15:06:52 MST 2012 

On Sun, 2012-12-16 at 16:51 -0500, Thomas Simmons wrote:
> Hello Andrew,
> 
> 
> If functionality is not there, I certainly understand and can work
> around it. I just want to make sure I am not misunderstanding
> something.
> 
> 
> When you say I should set "idmap_ldb:use rfc2307=yes" in smb.conf on
> the DC, do you mean that by doing so I can use winbind (and the
> rfc2307 attributes) for *nix authentication on the DC? I am confused
> because I already have "idmap_ldb:use rfc2307 = yes" in my smb.conf
> (it gets added automatically with the classicupgrade and I always
> provision my "clean" test setup with "--use-rfc2307"). That actually
> works fine - the rfc2307 attributes are there and I can modify them in
> ADUC. If I configure the server to use NSS+LDAP for authentication, my
> users's uid number, gid number, shell, etc are what I have specified
> in ADUC. When I try using winbind, it is not using the rfc2307
> information from AD. 

That's odd, but remember that only the UID and GID values will be used
(not the shell or homedir, which is handled in a different bit of the
code).  However, your output below clearly shows that isn't
happening :-(

>         > Here I have NSS+LDAP configured and getent reports the
correct uidNumber
>         > and gidNumber that I have specified in AD (rfc2307
attributes):
>         >
>         > root at ALW1:~# getent passwd | grep tuser
>         > tuser1:*:10005:10000:Test User1:/home/tuser1:/bin/sh
>         > tuser2:*:10006:10000:Test User2:/home/tuser2:/bin/sh
>         > tuser3:*:10007:10000:Test User3:/home/tuser3:/bin/sh
>         >
>         > Here (DC) I am using winbind for authentication, and getent
does not report
>         > the correct uidNumber and gidNumber:
>         >
>         > [root at ADC1 ~]# getent passwd | grep tuser
>         > TESTDOM\tuser1:*:3000025:100:Test User1:/home/tuser1:/bin/sh
>         > TESTDOM\tuser2:*:3000026:100:Test User2:/home/tuser2:/bin/sh
>         > TESTDOM\tuser3:*:3000027:100:Test User3:/home/tuser3:/bin/sh
>         
As a test, can you set 'acl:search=false' and see if it makes a
difference?

> Initially,  "idmap_ldb:use rfc2307 = yes" was the only idmap related
> entry in my smb.conf. When that did not work I tried a bunch of other
> "idmap config DOMAIN" settings. 

The code that handles that isn't hooked up yet.  I'm hoping someone will
take this on for 4.1. 

> Again, if this simply does not work at this time, I can use NSS and
> LDAP for logins on my DCs. With my S3 setup, I've always used LDAP for
> auth on *nix systems and am not terribly familiar with winbind, so I
> just want to make sure I'm not missing something. My next test will be
> setting up a member server. Can you tell me what entries I will need
> in my smb.conf to have winbind use the rfc2307 information from my S4
> DC on member servers?

I don't recall the exact settings right now, but for member servers it
is the same as for a Windows AD domain (yes, I think this should be more
automatic). 

In terms of using nss_ldap on the DC, the only concern I have is that
the [homes] share might not work if you do that.  Our DC code mostly
avoids calling into nss, but that particular area does do it, and really
does expect that nss_winbind is being used. 

For that reason, we generally suggest separation between the DC and
other roles as the best way out of this situation. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list