[Samba] Failing to get uids from AD
Heather Choi
hceuterpe at gmail.com
Mon Jul 16 17:42:15 MDT 2012
I noticed you tried to comment out the default idmap section. The range
also starts very low, (too low). I think you might be running into
uid/gid collisions because of that.
Something like this is more preferrable (in addition to setting your
ranges):
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config CORP : backend = ad
idmap config CORP : range = 900-999999
idmap config CORP : schema_mode = rfc2307
You want to make sure you retain the local allocation for stuff like
BUILTIN. Also you may want to start at 1000 for your range for CORP, to
make it more logical (i.e. so they are always at least 4 digits long).
You also have to make sure you set the groups properly.
Isn't the use of idmap = ad somewhat moot now that they revised (and
mostly 'fixed') id mapping in Samba 3.6?
On 07/16/2012 03:57 AM, Jonathan Buzzard wrote:
> On 14/07/12 17:50, Nick Triantos wrote:
>> Hi,
>>
>> I'm still having trouble getting Samba 3.6.3 / Winbind to fetch UIDs
>> from AD 2008 R2 with the Services for Unix feature installed. My
>> users have uidNumber fields which contain the UIDs I want. I'm on
>> Ubuntu 12.04
>>
>> The global part of my smb.conf. I've tried changing 'winbind nss
>> info' and 'schema_mode' to sfu as well.
>>
>> security = ADS
>> realm = CORP.mycompany.COM
>> allow trusted domains = yes
>> winbind use default domain = yes
>> winbind nested groups = YES
>> winbind enum groups = yes
>> winbind enum users = yes
>> winbind nss info = rfc2307
>> winbind refresh tickets = yes
>> idmap config CORP : backend = ad
>> idmap config CORP : schema_mode = rfc2307
>> #idmap config * : backend = tdb
>> idmap config * : default = yes
>> idmap config * : range = 900 - 99999
>>
>
> There is no range here for the ad backend. From what I have determined
> empirically is that you need to specify ranges for both that don't
> overlap. That said this is now covered in the manual page, but it is
> vitally important and it won't work properly without it. What I do is
> specify a small range really high up well out of the way of anything
> being allocated in the AD for the tdb backend.
>
> JAB.
>
More information about the samba
mailing list