[Samba] samba4 rfc2307 practice and confuse

d tbsky tbskyd at gmail.com
Sat Apr 13 10:49:50 MDT 2013

   I setup a small samba 4.0.5 AD DC server. my client is windows 7 and
linux. and I use windows 7 with remote managment tools to manage rfc2307
account seetings of samba4 DC. I hope my users can use the same account to
use windows and linux.

  samba4 DC provsion command as below:
  samba-tool domain provision --use-rfc2307 --function-level=2008_R2

   and smb.conf global section for samba4 DC below:
        workgroup = DOM
        realm = AD.DOM.COM.TW
        netbios name = DC
        server role = active directory domain controller
        dns forwarder =
        idmap_ldb:use rfc2307 = yes
        template shell = /bin/bash
        winbind nss info = rfc2307

 under samba4 DC, with "getent passwd" command,the situation is below:
 1. the uid and gid are correct. "getent group" works.
 2. the shell and homedir is not correct. "winbind nss info = rfc2307" is
uselss, samba4 always use template for "shell" and "homedir". and even
worse, if I set "template homedir = /home/%U", the "%U" macro is ignored,
so everyone's homedir is just "/home/%U". however the default "/home/%D/%U"
is working if you didn't set any "template homdir".  so not setting any
"template homedir" is the only way you can get under samba4 DC.

under other scientifc linux 6.4 workstation (comes with samba 3.6.9. I also
tried 3.6.13.):
the global section of smb.conf below:
   workgroup = DOM
   password server = DC.AD.DOM.COM.TW
   realm = AD.DOM.COM.TW
   security = ads
   idmap config *:backend = tdb
   idmap config *:range = 2001-3000
   idmap config DOM:backend = ad
   idmap config DOM:default = yes
   idmap config DOM:range = 1000-2000
   idmap config DOM:schema_mode = rfc2307
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes

  situation below:
  1.uid,shell,home are correct from rfc2307. but gid is not.and "getent
group" never works.
  2. the gid comes from domain account's "primary group". so to make my
linux client work, I need to set a special domain group, set the group's
rfc2307 guid number(I set it to number 1000). and change every user's
primary group from "domain users" to the special domain group, then I can
get the correct "getent passwd".

  I search sambawiki and email-list, there is very little informatin about
rfc2307 (but many questions and confustion without reply in the email
list).so I post my experience here. and I wonder the strange behavior is
bug or feature. I wonder what is the original design idea to use rfc2307
under samba 4 domain?

 thanks for advice.


More information about the samba mailing list