[Samba] samba4 rfc2307 practice and confuse

Gémes Géza geza at kzsdabas.hu
Sat Apr 13 22:49:29 MDT 2013

2013-04-13 18:49 keltezéssel, d tbsky írta:
> hi:
>     I setup a small samba 4.0.5 AD DC server. my client is windows 7 and
> linux. and I use windows 7 with remote managment tools to manage rfc2307
> account seetings of samba4 DC. I hope my users can use the same account to
> use windows and linux.
>    samba4 DC provsion command as below:
>    samba-tool domain provision --use-rfc2307 --function-level=2008_R2
> --interactive
>     and smb.conf global section for samba4 DC below:
>          workgroup = DOM
>          realm = AD.DOM.COM.TW
>          netbios name = DC
>          server role = active directory domain controller
>          dns forwarder =
>          idmap_ldb:use rfc2307 = yes
>          template shell = /bin/bash
>          winbind nss info = rfc2307
>   under samba4 DC, with "getent passwd" command,the situation is below:
>   1. the uid and gid are correct. "getent group" works.
>   2. the shell and homedir is not correct. "winbind nss info = rfc2307" is
> uselss, samba4 always use template for "shell" and "homedir". and even
> worse, if I set "template homedir = /home/%U", the "%U" macro is ignored,
> so everyone's homedir is just "/home/%U". however the default "/home/%D/%U"
> is working if you didn't set any "template homdir".  so not setting any
> "template homedir" is the only way you can get under samba4 DC.
Unfortunately the winbind implementation samba as an AD DC uses (the one 
in the samba binary) is not able to read other posix information from AD 
other than the uidNumber and gidNumber.
> under other scientifc linux 6.4 workstation (comes with samba 3.6.9. I also
> tried 3.6.13.):
> the global section of smb.conf below:
>     workgroup = DOM
>     password server = DC.AD.DOM.COM.TW
>     realm = AD.DOM.COM.TW
>     security = ads
>     idmap config *:backend = tdb
>     idmap config *:range = 2001-3000
>     idmap config DOM:backend = ad
>     idmap config DOM:default = yes
>     idmap config DOM:range = 1000-2000
>     idmap config DOM:schema_mode = rfc2307
>     winbind nss info = rfc2307
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind use default domain = yes
>    situation below:
>    1.uid,shell,home are correct from rfc2307. but gid is not.and "getent
> group" never works.
>    2. the gid comes from domain account's "primary group". so to make my
> linux client work, I need to set a special domain group, set the group's
> rfc2307 guid number(I set it to number 1000). and change every user's
> primary group from "domain users" to the special domain group, then I can
> get the correct "getent passwd".
>    I search sambawiki and email-list, there is very little informatin about
> rfc2307 (but many questions and confustion without reply in the email
> list).so I post my experience here. and I wonder the strange behavior is
> bug or feature. I wonder what is the original design idea to use rfc2307
> under samba 4 domain?
>   thanks for advice.
I have read many times complaints like this, it seems, that some 
distributions/relases bundle a version of samba, that has some bugs, a 
similar setup (just the ranges are different) works for me using ubuntu 


Geza Gemes
> Regards,
> tbskyd

More information about the samba mailing list