[Samba] idmap backend = ad and Active Directory 2008R2
Jonathan Buzzard
jonathan at buzzard.me.uk
Wed May 30 06:10:59 MDT 2012
On Tue, 2012-05-29 at 15:41 -0700, Randy Rue wrote:
>
> Can anyone tell me what's wrong with the below file? Or at least provide a
> working example? Is there a complete howto anywhere for SMB3.5 and AD2008R2?
>
Yes, for starters where is the default writable backend that is required
as specified in "man idmap_ad"?
You need some lines like the following
idmap backend = tdb
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
Where those numbers don't overlap with the numbers for your FHCRC
domain.
> Hope to hear from you,
>
> rrue
> seattle
>
> /etc/samba/smb.conf:
> [global]
> workgroup = FOO
> password server = dcx.foo.org dcy.foo.org dcz.foo.org
> realm = FOO.ORG
> security = ads
> winbind use default domain = true
> winbind offline logon = false
> log file = /var/log/samba/%m.log
> max log size = 100
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> dns proxy = no
> idmap config FHCRC : default = yes
> idmap config FHCRC : backend = ad
> idmap config FHCRC : schema_mode = rfc2307
> idmap config FHCRC : range = 5000 - 70000
> allow trusted domains = No
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nested groups = Yes
I also don't see a "winbind nss info = rfc2307" line either so it is not
clear how the UID's and GID's from the AD scheme are getting through to
Linux.
Note for reasons I don't follow the primary GID of the user is
calculated from the "primaryGroupID" attribute.
JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
More information about the samba
mailing list