[Samba] Samba 4, Winbind & RFC2307

"Dr. Hansjörg Maurer" hansjoerg.maurer at itsd.de
Sun Dec 23 06:40:02 MST 2012 

Hi

Am 16.12.2012 23:06, schrieb Andrew Bartlett:
> On Sun, 2012-12-16 at 16:51 -0500, Thomas Simmons wrote:
>> Hello Andrew,
>>
>>
>> If functionality is not there, I certainly understand and can work
>> around it. I just want to make sure I am not misunderstanding
>> something.
>>
>>
>> When you say I should set "idmap_ldb:use rfc2307=yes" in smb.conf on
>> the DC, do you mean that by doing so I can use winbind (and the
>> rfc2307 attributes) for *nix authentication on the DC? I am confused
>> because I already have "idmap_ldb:use rfc2307 = yes" in my smb.conf
>> (it gets added automatically with the classicupgrade and I always
>> provision my "clean" test setup with "--use-rfc2307"). That actually
>> works fine - the rfc2307 attributes are there and I can modify them in
>> ADUC. If I configure the server to use NSS+LDAP for authentication, my
>> users's uid number, gid number, shell, etc are what I have specified
>> in ADUC. When I try using winbind, it is not using the rfc2307
>> information from AD. 
> That's odd, but remember that only the UID and GID values will be used
> (not the shell or homedir, which is handled in a different bit of the
> code).  However, your output below clearly shows that isn't
> happening :-(

I got it working with 4.0.0 with some manual interaction
Steps to reproduce:
- add a user to a domain provisioned with --use-rfc2307
  samba-tool user add testuser
- add a group testgroup to the domain
- set unix attributes with MMC for user and group
- put user into windows group using MMC and assign testgroup as windows
primary group (not under unix attributes)
- set   idmap_ldb:use rfc2307=Yes in smb.conf

Like reported before,  the user and the group did not show up in getent
passwd and getent group with the uid and gid set in MMC but with a
random number

testgroup:*:3000022:                                                                                                                                

S4HJ\testuser:*:3000013:100::/home/testuser:/bin/bash                                                          



If I do a

ldbedit -e vi -H /etc/samba/sam.ldb

and manually add
objectClass: posixGroup
to testgroup
and
objectClass: posixAccount
to testuser

it works fine
[root at merlot samba-4.0.0]# getent passwd testuser
S4HJ\testuser:*:10000:10001::/home/testuser:/bin/bash
[root at merlot samba-4.0.0]# getent group testgroup
testgroup:*:10000:
[root at merlot samba-4.0.0]# id -a S4HJ\\testuser
uid=10000(S4HJ\testuser) gid=10001(testgroup2)
Gruppen=10001(testgroup2),100(users),10000(testgroup)

Is ther a way to add this objectclass automatically?

Regards

Hansjörg
 


-- 
Dr. Hansjörg Maurer
itsystems Deutschland AG
Linprunstraße 10
80335 München
Tel:   +49-89-52 04 68-41
Fax:   +49-89-52 04 68-59
E-Mail: hansjoerg.maurer at itsd.de
Web:    http://www.itsd.de


Amtsgericht München HRB 132146
USt-IdNr. DE 812991301
Steuer-Nr. 143/100/81575

Aufsichtsratsvorsitzender:
Stefan Adam
Vorstand:
Dr. Michael Krocka
Dr. Hansjörg Maurer

More information about the samba mailing list