[Samba] idmap backend = ad and Active Directory 2008R2

Randy Rue randyrue at gmail.com
Tue May 29 16:41:01 MDT 2012 

Hello All,

I'm trying to set up linux ssh/shell authentication on a CentOS_6.2 server
running smbd version 3.5.10-114 using winbind/smb/pam. We've done this
successfully using the tdb backend but wanted users to get the same UID/GID
on every machine. Switched to rid for the backend but users still got a
foreign number for UID and their default group was always Domain Users. So
I'm trying to get a working setup for using our AD and the Windows
Attributes for their UID and GID.

After about a week of crawling the web and rooting through others' copies of
smb.conf I've assembled the following config file. I think I understand what
every line does and have pared it down to the minimum. UID's are the same as
employeeID and should always be 5000-70000. Anyone logging in NOT from the
AD will be in /etc/passwd and /etc/grp so there shouldn't be any need for a
local tdb backend. wbinfo -g or -u returns AD groups and users but getent
fails for any AD user or group. And it still doesn't work. In fact, it
doesn't allow logins at all (every SSH attempt kicks up an "invalid user"
line across syslog). Or, if I roll back far enough to the rid version, I can
log in but get the wrong (rid-based) UID and GID.

Can anyone tell me what's wrong with the below file? Or at least provide a
working example? Is there a complete howto anywhere for SMB3.5 and AD2008R2?

Hope to hear from you,

rrue
seattle

/etc/samba/smb.conf:
[global]
   workgroup = FOO
   password server = dcx.foo.org dcy.foo.org dcz.foo.org
   realm = FOO.ORG
   security = ads
   winbind use default domain = true
   winbind offline logon = false
   log file = /var/log/samba/%m.log
   max log size = 100
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = no
   idmap config FHCRC : default = yes
   idmap config FHCRC : backend = ad
   idmap config FHCRC : schema_mode = rfc2307
   idmap config FHCRC : range = 5000 - 70000
   allow trusted domains = No
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind nested groups = Yes

More information about the samba mailing list