[Samba] RFC2307 & Samba4 [Was: Linux users and Samba 4]

steve steve at steve-ss.com
Thu Feb 9 06:12:39 MST 2012

On 13/01/12 16:59, Adam Tauno Williams wrote:
> On Fri, 2012-01-13 at 10:32 -0500, Adam Tauno Williams wrote:
>> On Fri, 2012-01-13 at 02:51 +0100, steve wrote:
>>> On 12/01/12 23:02, Adam Tauno Williams wrote:
>>>> Quoting steve<steve at steve-ss.com>:
>>>>>>>> Samba4's winbind does not support RFC2307,  so doing this is pretty
>>>>>>>> rough.  I think you need to either use CIFS + winbind everywhere or
>>>>>>>> somehow maintain an external idmap.
>>>>>>>> Yea, it is horrible.  We are staring down the barrell of the same
>>>>>>>> gun.
>>>>>> As Jeremy said, they are discussing what needs to be done before
>>>>>> releasing Samba 4.0.0 and how to reconcile Samba 3's winbind and Samba
>>>>>> 4's winbind etc., so if something that is critical for you does not
>>>>>> currently work, you should file a bug report.
>>>>> Yep. I realise the 'alphaness' of Samba 4 but I think I am not alone
>>>>> with my issue. I think I should be easy to fix now before it goes beta.
>>>>> https://bugzilla.samba.org/show_bug.cgi?id=8635
>>>> Holy awesome; it got better.  I just tested an upgrade of our
>>>> production domain and it appears that Samba4 took [and kept] the UID
>>>> number from the existing account.
>>>> Production
>>>> -------------
>>>> [root at littleboy ~]# id adam
>>>> uid=437(adam) gid=230(cis) groups=230(cis)
>>>> Test Server
>>>> ------------
>>>> barbel:~ # wbinfo -i adam
>>>> BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false
>>>> Home directory is a bit wierd, and the gidNumber didn't stick.  But at
>>>> least I have the uidNumber.
>>>> 4.0.0alpha18-GIT-103c1cb [openSUSE 12.1 x86_64] transitioned via
>>>> "samba-tool domain samba3upgrade" from Samba S3w/LDAPSAM.
>>> Nice find you have there. Meanwhile I've got it working. Very rough. But
>>> working for 10 hour Kerberos sessions at a time;)
>>> http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html
>>> Steve
>> What I'm puzzled by [and maybe this is a deficiency in Samba4 still] is
>> that while the LDAP modify works the wbinfo output doesn't change.
>> dn: CN=adam,CN=Users,DC=micore,DC=us
>> changetype: modify
>> add: objectclass
>> objectclass: posixaccount
>> -
>> add: objectclass
>> objectclass: shadowaccount
>> -
>> add: uidnumber
>> uidnumber: 437
>> -
>> add: gidnumber
>> gidnumber: 230
>> -
>> add:unixhomedirectory
>> unixhomedirectory: /home/adam
>> -
>> add: loginshell
>> loginshell: /bin/ksh
>> barbel:~ # wbinfo -i adam
>> BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false
> I am able to get my home-directory path back to the previous value
> [ based on the useful information from this link -
> <https://lists.samba.org/archive/samba/2010-May/156051.html>  ]
> Setting: template homedir = /home/%ACCOUNTNAME%
> The old %U type variables aren't supported.  But the above results in
> the same thing -
> barbel:/opt/s4 # wbinfo -i adam
> BACKBONE\adam:*:437:100:Adam Williams:/home/adam:/bin/false
> I found a list of Windows environment variables here
> <http://vlaurie.com/computers2/Articles/environment.htm>   According the
> old 2010 thread these are now expanded on the client side in Microsoft
> fashion rather than expanded on the serve [in the config backend??].
You have to rfc2307-ify the group too. e.g.:
samba-tool group add suseusers
samba-tool group addmembers suseusers steve6

wbinfo --group-info=suseusers

kinit Administrator

ldapmodify -h -D cn=Administrator,cn=Users,dc=hh3,dc=site -Y 
dn: cn=suseusers,sn=Users,dc=hh3,dc=site
changetype: modify
add: objectClass
objectClass: posixAccount
add: objectClass
objectClass: posixGroup
<hit enter + ctrl C. . .bug in os 12.1??>
Use nslcd to map uid:gid from LDAP:
passwd:    files ldap
group: files ldap

and then:
hh3:/home/steve # getent passwd steve6
hh3:/home/steve # getent group suseusers
hh3:/home/steve # wbinfo -i steve6

Linux= nfs4/idmapd. w7= out of the box.

hh3:/tmp # id steve6
uid=3000015(steve6) gid=3000016(suseusers) groups=3000016(suseusers)

steve6 at hh6:~> id
uid=3000015(steve6) gid=3000016(suseusers) groups=3000016(suseusers)
steve6 at hh6:~> echo "Hola" > file
steve6 at hh6:~> ls -l file
-rw-r--r-- 1 steve6 suseusers 5 Feb  9 13:52 file

Maybe I should add this to the bug report.

More information about the samba mailing list