[Samba] Failing to get uids from AD

Nick Triantos nick at triantos.com
Mon Jul 16 10:34:22 MDT 2012 

Thanks Jonathan, but it didn't work for me. I updated my config to look like this:
   security = ADS
   realm = CORP.mycompany.COM
   allow trusted domains = yes
   winbind use default domain = yes
   winbind nested groups = YES
   winbind enum groups = yes
   winbind enum users = yes
   winbind nss info = rfc2307
   winbind refresh tickets = yes
   idmap config CORP : backend = ad
   idmap config CORP : schema_mode = rfc2307
   idmap config CORP : 1000 - 99999
   #idmap config * : backend = tdb
   idmap config * : default = yes
   idmap config * : range = 100000 - 199999

And after restarting smbd and winbindd, my ID came back as 100000 instead of the expected 1001.

Is there some other element missing from my "idmap config CORP" sections to somehow associate it with this specific AD server? Or does the "CORP" identifier suffice?

thanks again!
-Nick


On Jul 16, 2012, at 1:57 AM, Jonathan Buzzard wrote:

> On 14/07/12 17:50, Nick Triantos wrote:
>> Hi,
>> 
>> I'm still having trouble getting Samba 3.6.3 / Winbind to fetch UIDs from AD 2008 R2 with the Services for Unix feature installed. My users have uidNumber fields which contain the UIDs I want. I'm on Ubuntu 12.04
>> 
>> The global part of my smb.conf. I've tried changing 'winbind nss info' and 'schema_mode' to sfu as well.
>> 
>>    security = ADS
>>    realm = CORP.mycompany.COM
>>    allow trusted domains = yes
>>    winbind use default domain = yes
>>    winbind nested groups = YES
>>    winbind enum groups = yes
>>    winbind enum users = yes
>>    winbind nss info = rfc2307
>>    winbind refresh tickets = yes
>>    idmap config CORP : backend = ad
>>    idmap config CORP : schema_mode = rfc2307
>>    #idmap config * : backend = tdb
>>    idmap config * : default = yes
>>    idmap config * : range = 900 - 99999
>> 
> 
> There is no range here for the ad backend. From what I have determined empirically is that you need to specify ranges for both that don't overlap. That said this is now covered in the manual page, but it is vitally important and it won't work properly without it. What I do is specify a small range really high up well out of the way of anything being allocated in the AD for the tdb backend.
> 
> JAB.
> 
> -- 
> Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
> Fife, United Kingdom.

More information about the samba mailing list