[Samba] Samba 4, Winbind & RFC2307
Thomas Simmons
twsnnva at gmail.com
Sun Dec 16 15:30:55 MST 2012
I am using 'template homedir' and 'template shell' for these attributes,
which I'm fine with. It's the uidNumber and gidNumber that
I'm primarily concerned with. My global section:
[global]
workgroup = TESTDOM
realm = internal.testdom.com
netbios name = ADC1
server role = active directory domain controller
dns forwarder = 10.10.65.1
idmap_ldb:use rfc2307 = yes
#acl:search = false
template homedir = /home/%ACCOUNTNAME%
template shell = /bin/sh
On Sun, Dec 16, 2012 at 5:06 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Sun, 2012-12-16 at 16:51 -0500, Thomas Simmons wrote:
> > Hello Andrew,
> >
> >
> > If functionality is not there, I certainly understand and can work
> > around it. I just want to make sure I am not misunderstanding
> > something.
> >
> >
> > When you say I should set "idmap_ldb:use rfc2307=yes" in smb.conf on
> > the DC, do you mean that by doing so I can use winbind (and the
> > rfc2307 attributes) for *nix authentication on the DC? I am confused
> > because I already have "idmap_ldb:use rfc2307 = yes" in my smb.conf
> > (it gets added automatically with the classicupgrade and I always
> > provision my "clean" test setup with "--use-rfc2307"). That actually
> > works fine - the rfc2307 attributes are there and I can modify them in
> > ADUC. If I configure the server to use NSS+LDAP for authentication, my
> > users's uid number, gid number, shell, etc are what I have specified
> > in ADUC. When I try using winbind, it is not using the rfc2307
> > information from AD.
>
> That's odd, but remember that only the UID and GID values will be used
> (not the shell or homedir, which is handled in a different bit of the
> code). However, your output below clearly shows that isn't
> happening :-(
>
> > > Here I have NSS+LDAP configured and getent reports the
> correct uidNumber
> > > and gidNumber that I have specified in AD (rfc2307
> attributes):
> > >
> > > root at ALW1:~# getent passwd | grep tuser
> > > tuser1:*:10005:10000:Test User1:/home/tuser1:/bin/sh
> > > tuser2:*:10006:10000:Test User2:/home/tuser2:/bin/sh
> > > tuser3:*:10007:10000:Test User3:/home/tuser3:/bin/sh
> > >
> > > Here (DC) I am using winbind for authentication, and getent
> does not report
> > > the correct uidNumber and gidNumber:
> > >
> > > [root at ADC1 ~]# getent passwd | grep tuser
> > > TESTDOM\tuser1:*:3000025:100:Test User1:/home/tuser1:/bin/sh
> > > TESTDOM\tuser2:*:3000026:100:Test User2:/home/tuser2:/bin/sh
> > > TESTDOM\tuser3:*:3000027:100:Test User3:/home/tuser3:/bin/sh
> >
> As a test, can you set 'acl:search=false' and see if it makes a
> difference?
>
> > Initially, "idmap_ldb:use rfc2307 = yes" was the only idmap related
> > entry in my smb.conf. When that did not work I tried a bunch of other
> > "idmap config DOMAIN" settings.
>
> The code that handles that isn't hooked up yet. I'm hoping someone will
> take this on for 4.1.
>
> > Again, if this simply does not work at this time, I can use NSS and
> > LDAP for logins on my DCs. With my S3 setup, I've always used LDAP for
> > auth on *nix systems and am not terribly familiar with winbind, so I
> > just want to make sure I'm not missing something. My next test will be
> > setting up a member server. Can you tell me what entries I will need
> > in my smb.conf to have winbind use the rfc2307 information from my S4
> > DC on member servers?
>
> I don't recall the exact settings right now, but for member servers it
> is the same as for a Windows AD domain (yes, I think this should be more
> automatic).
>
> In terms of using nss_ldap on the DC, the only concern I have is that
> the [homes] share might not work if you do that. Our DC code mostly
> avoids calling into nss, but that particular area does do it, and really
> does expect that nss_winbind is being used.
>
> For that reason, we generally suggest separation between the DC and
> other roles as the best way out of this situation.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
>
More information about the samba
mailing list