[Samba] Failing to get uids from AD

Heather Choi hceuterpe at gmail.com
Mon Jul 16 17:42:15 MDT 2012 

I noticed you tried to comment out the default idmap section. The range 
also starts very low, (too low). I think you might be running into 
uid/gid collisions because of that.
Something like this is more preferrable (in addition to setting your 
ranges):

     
     idmap config * : backend = tdb
     idmap config * : range = 1000000-1999999

     idmap config CORP : backend  = ad
     idmap config CORP : range = 900-999999
     idmap config CORP : schema_mode = rfc2307

You want to make sure you retain the local allocation for stuff like 
BUILTIN.  Also you may want to start at 1000 for your range for CORP, to 
make it more logical (i.e. so they are always at least 4 digits long).  
You also have to make sure you set the groups properly.

Isn't the use of idmap = ad somewhat moot now that they revised (and 
mostly 'fixed') id mapping in Samba 3.6?

On 07/16/2012 03:57 AM, Jonathan Buzzard wrote:
> On 14/07/12 17:50, Nick Triantos wrote:
>> Hi,
>>
>> I'm still having trouble getting Samba 3.6.3 / Winbind to fetch UIDs 
>> from AD 2008 R2 with the Services for Unix feature installed. My 
>> users have uidNumber fields which contain the UIDs I want. I'm on 
>> Ubuntu 12.04
>>
>> The global part of my smb.conf. I've tried changing 'winbind nss 
>> info' and 'schema_mode' to sfu as well.
>>
>>     security = ADS
>>     realm = CORP.mycompany.COM
>>     allow trusted domains = yes
>>     winbind use default domain = yes
>>     winbind nested groups = YES
>>     winbind enum groups = yes
>>     winbind enum users = yes
>>     winbind nss info = rfc2307
>>     winbind refresh tickets = yes
>>     idmap config CORP : backend = ad
>>     idmap config CORP : schema_mode = rfc2307
>>     #idmap config * : backend = tdb
>>     idmap config * : default = yes
>>     idmap config * : range = 900 - 99999
>>
>
> There is no range here for the ad backend. From what I have determined 
> empirically is that you need to specify ranges for both that don't 
> overlap. That said this is now covered in the manual page, but it is 
> vitally important and it won't work properly without it. What I do is 
> specify a small range really high up well out of the way of anything 
> being allocated in the AD for the tdb backend.
>
> JAB.
>

More information about the samba mailing list