[Samba] Samba 4, Winbind & RFC2307

Thomas Simmons twsnnva at gmail.com
Sun Dec 16 15:30:55 MST 2012 

I am using 'template homedir' and 'template shell' for these attributes,
which I'm fine with. It's the uidNumber and gidNumber that
I'm primarily concerned with. My global section:

[global]
        workgroup = TESTDOM
        realm = internal.testdom.com
        netbios name = ADC1
        server role = active directory domain controller
        dns forwarder = 10.10.65.1
        idmap_ldb:use rfc2307 = yes
        #acl:search = false

        template homedir = /home/%ACCOUNTNAME%
        template shell = /bin/sh



On Sun, Dec 16, 2012 at 5:06 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Sun, 2012-12-16 at 16:51 -0500, Thomas Simmons wrote:
> > Hello Andrew,
> >
> >
> > If functionality is not there, I certainly understand and can work
> > around it. I just want to make sure I am not misunderstanding
> > something.
> >
> >
> > When you say I should set "idmap_ldb:use rfc2307=yes" in smb.conf on
> > the DC, do you mean that by doing so I can use winbind (and the
> > rfc2307 attributes) for *nix authentication on the DC? I am confused
> > because I already have "idmap_ldb:use rfc2307 = yes" in my smb.conf
> > (it gets added automatically with the classicupgrade and I always
> > provision my "clean" test setup with "--use-rfc2307"). That actually
> > works fine - the rfc2307 attributes are there and I can modify them in
> > ADUC. If I configure the server to use NSS+LDAP for authentication, my
> > users's uid number, gid number, shell, etc are what I have specified
> > in ADUC. When I try using winbind, it is not using the rfc2307
> > information from AD.
>
> That's odd, but remember that only the UID and GID values will be used
> (not the shell or homedir, which is handled in a different bit of the
> code).  However, your output below clearly shows that isn't
> happening :-(
>
> >         > Here I have NSS+LDAP configured and getent reports the
> correct uidNumber
> >         > and gidNumber that I have specified in AD (rfc2307
> attributes):
> >         >
> >         > root at ALW1:~# getent passwd | grep tuser
> >         > tuser1:*:10005:10000:Test User1:/home/tuser1:/bin/sh
> >         > tuser2:*:10006:10000:Test User2:/home/tuser2:/bin/sh
> >         > tuser3:*:10007:10000:Test User3:/home/tuser3:/bin/sh
> >         >
> >         > Here (DC) I am using winbind for authentication, and getent
> does not report
> >         > the correct uidNumber and gidNumber:
> >         >
> >         > [root at ADC1 ~]# getent passwd | grep tuser
> >         > TESTDOM\tuser1:*:3000025:100:Test User1:/home/tuser1:/bin/sh
> >         > TESTDOM\tuser2:*:3000026:100:Test User2:/home/tuser2:/bin/sh
> >         > TESTDOM\tuser3:*:3000027:100:Test User3:/home/tuser3:/bin/sh
> >
> As a test, can you set 'acl:search=false' and see if it makes a
> difference?
>
> > Initially,  "idmap_ldb:use rfc2307 = yes" was the only idmap related
> > entry in my smb.conf. When that did not work I tried a bunch of other
> > "idmap config DOMAIN" settings.
>
> The code that handles that isn't hooked up yet.  I'm hoping someone will
> take this on for 4.1.
>
> > Again, if this simply does not work at this time, I can use NSS and
> > LDAP for logins on my DCs. With my S3 setup, I've always used LDAP for
> > auth on *nix systems and am not terribly familiar with winbind, so I
> > just want to make sure I'm not missing something. My next test will be
> > setting up a member server. Can you tell me what entries I will need
> > in my smb.conf to have winbind use the rfc2307 information from my S4
> > DC on member servers?
>
> I don't recall the exact settings right now, but for member servers it
> is the same as for a Windows AD domain (yes, I think this should be more
> automatic).
>
> In terms of using nss_ldap on the DC, the only concern I have is that
> the [homes] share might not work if you do that.  Our DC code mostly
> avoids calling into nss, but that particular area does do it, and really
> does expect that nss_winbind is being used.
>
> For that reason, we generally suggest separation between the DC and
> other roles as the best way out of this situation.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>
>

More information about the samba mailing list