[Samba] RFC2307 & Samba4 [Was: Linux users and Samba 4]
steve at steve-ss.com
Fri Jan 13 15:21:36 MST 2012
On 13/01/12 16:32, Adam Tauno Williams wrote:
> On Fri, 2012-01-13 at 02:51 +0100, steve wrote:
>> On 12/01/12 23:02, Adam Tauno Williams wrote:
>>> Quoting steve<steve at steve-ss.com>:
>>>>>>> Samba4's winbind does not support RFC2307, so doing this is pretty
>>>>>>> rough. I think you need to either use CIFS + winbind everywhere or
>>>>>>> somehow maintain an external idmap.
>>>>>>> Yea, it is horrible. We are staring down the barrell of the same
>>>>> As Jeremy said, they are discussing what needs to be done before
>>>>> releasing Samba 4.0.0 and how to reconcile Samba 3's winbind and Samba
>>>>> 4's winbind etc., so if something that is critical for you does not
>>>>> currently work, you should file a bug report.
>>>> Yep. I realise the 'alphaness' of Samba 4 but I think I am not alone
>>>> with my issue. I think I should be easy to fix now before it goes beta.
>>> Holy awesome; it got better. I just tested an upgrade of our
>>> production domain and it appears that Samba4 took [and kept] the UID
>>> number from the existing account.
>>> [root at littleboy ~]# id adam
>>> uid=437(adam) gid=230(cis) groups=230(cis)
>>> Test Server
>>> barbel:~ # wbinfo -i adam
>>> BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false
>>> Home directory is a bit wierd, and the gidNumber didn't stick. But at
>>> least I have the uidNumber.
>>> 4.0.0alpha18-GIT-103c1cb [openSUSE 12.1 x86_64] transitioned via
>>> "samba-tool domain samba3upgrade" from Samba S3w/LDAPSAM.
>> Nice find you have there. Meanwhile I've got it working. Very rough. But
>> working for 10 hour Kerberos sessions at a time;)
> What I'm puzzled by [and maybe this is a deficiency in Samba4 still] is
> that while the LDAP modify works the wbinfo output doesn't change.
> dn: CN=adam,CN=Users,DC=micore,DC=us
> changetype: modify
> add: objectclass
> objectclass: posixaccount
> add: objectclass
> objectclass: shadowaccount
> add: uidnumber
> uidnumber: 437
> add: gidnumber
> gidnumber: 230
> unixhomedirectory: /home/adam
> add: loginshell
> loginshell: /bin/ksh
> barbel:~ # wbinfo -i adam
> BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false
> So obviously the gidNumber attribute is ignored. The uidNumber
> attribute didn't exist in the object - so that is obviously coming from
> elsewhere. Guess I need to dig into winbind.
> I'm currently *assuming* that these attributes are compatible with SFU
> for Windows and that they'd replicate to a Windows AD server.
Yes, you can change the uidnumber but not the gidnumber. In your
example, it missed the shell too although it works if you put e.g.
template shell = /bin/bash in smb.conf.
Using the openSUSE nss-pam-ldapd module I have this:
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group uniqueMember msSFU30PosixMember
# Mappings for Active Directory
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
#map group uniqueMember member
I feel I'm getting somewhere at last!
More information about the samba