[Samba] RFC2307 & Samba4 [Was: Linux users and Samba 4]

steve steve at steve-ss.com
Fri Jan 13 15:21:36 MST 2012

On 13/01/12 16:32, Adam Tauno Williams wrote:
> On Fri, 2012-01-13 at 02:51 +0100, steve wrote:
>> On 12/01/12 23:02, Adam Tauno Williams wrote:
>>> Quoting steve<steve at steve-ss.com>:
>>>>>>> Samba4's winbind does not support RFC2307,  so doing this is pretty
>>>>>>> rough.  I think you need to either use CIFS + winbind everywhere or
>>>>>>> somehow maintain an external idmap.
>>>>>>> Yea, it is horrible.  We are staring down the barrell of the same
>>>>>>> gun.
>>>>> As Jeremy said, they are discussing what needs to be done before
>>>>> releasing Samba 4.0.0 and how to reconcile Samba 3's winbind and Samba
>>>>> 4's winbind etc., so if something that is critical for you does not
>>>>> currently work, you should file a bug report.
>>>> Yep. I realise the 'alphaness' of Samba 4 but I think I am not alone
>>>> with my issue. I think I should be easy to fix now before it goes beta.
>>>> https://bugzilla.samba.org/show_bug.cgi?id=8635
>>> Holy awesome; it got better.  I just tested an upgrade of our
>>> production domain and it appears that Samba4 took [and kept] the UID
>>> number from the existing account.
>>> Production
>>> -------------
>>> [root at littleboy ~]# id adam
>>> uid=437(adam) gid=230(cis) groups=230(cis)
>>> Test Server
>>> ------------
>>> barbel:~ # wbinfo -i adam
>>> BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false
>>> Home directory is a bit wierd, and the gidNumber didn't stick.  But at
>>> least I have the uidNumber.
>>> 4.0.0alpha18-GIT-103c1cb [openSUSE 12.1 x86_64] transitioned via
>>> "samba-tool domain samba3upgrade" from Samba S3w/LDAPSAM.
>> Nice find you have there. Meanwhile I've got it working. Very rough. But
>> working for 10 hour Kerberos sessions at a time;)
>> http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html
>> Steve
> What I'm puzzled by [and maybe this is a deficiency in Samba4 still] is
> that while the LDAP modify works the wbinfo output doesn't change.
> dn: CN=adam,CN=Users,DC=micore,DC=us
> changetype: modify
> add: objectclass
> objectclass: posixaccount
> -
> add: objectclass
> objectclass: shadowaccount
> -
> add: uidnumber
> uidnumber: 437
> -
> add: gidnumber
> gidnumber: 230
> -
> add:unixhomedirectory
> unixhomedirectory: /home/adam
> -
> add: loginshell
> loginshell: /bin/ksh
> barbel:~ # wbinfo -i adam
> BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false
> So obviously the gidNumber attribute is ignored.  The uidNumber
> attribute didn't exist in the object - so that is obviously coming from
> elsewhere.  Guess I need to dig into winbind.
> I'm currently *assuming* that these attributes are compatible with SFU
> for Windows and that they'd replicate to a Windows AD server.
Yes, you can change the uidnumber but not the gidnumber. In your 
example, it missed the shell too although it works if you put e.g. 
template shell = /bin/bash in smb.conf.

Using the openSUSE nss-pam-ldapd module I have this:

# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map    passwd uid              msSFU30Name
#map    passwd userPassword     msSFU30Password
#map    passwd homeDirectory    msSFU30HomeDirectory
#map    passwd homeDirectory    msSFUHomeDirectory
#filter shadow (objectClass=User)
#map    shadow uid              msSFU30Name
#map    shadow userPassword     msSFU30Password
#filter group  (objectClass=Group)
#map    group  uniqueMember     msSFU30PosixMember

# Mappings for Active Directory
#pagesize 1000
#referrals off
#filter passwd 
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
#map    passwd gecos            displayName
#filter shadow 
map    shadow uid              sAMAccountName
#map    shadow shadowLastChange pwdLastSet
#filter group  (objectClass=group)
#map    group  uniqueMember     member

I feel I'm getting somewhere at last!

More information about the samba mailing list