[Samba] Winbind backend = ldap pull uid-number and gid-number ldap values ?

Werthmuller, Derek dwerthmu at ctg.albany.edu
Wed Dec 4 12:02:17 MST 2013 

Got part of it working, seems the gidnumber is not being pulled properly through.  Here is the member server smb.conf
Note        idmap config DOM : range = 500 - 2000 is the number space where all my uidnumbers and gidnumbers are.
Currently a getent passwd retrieves the list of users and displays the proper uid, but the gidnumber is in the outer range.  

Username:*:500:100::/exports/users/%U:/bin/bash   <- this is not correct group #  - it should be 500

I wonder if I need to clear a windbind cache?  Net cache flush the correct way to do this on the member server? 

An ldapsearch of the ad directory to verify that the proper uid and gid are stored for that user reveals that they are.
...
uidNumber: 500
gidNumber: 500
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
...

Smb.conf
[global]
        workgroup = DOM
        realm = DOM.EXAMPLE.COM
        server string = Samba Server Version %v
        security = ADS
        log file = /var/log/samba/log.%m
        max log size = 50
        template homedir = /exports/users/%U
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        idmap_ldb : use rfc2307 = yes
        idmap config DOM : range = 500 - 2000      # range winbind has authority over to set.
        idmap config DOM : backend = ad
        idmap config * : range = 1000000-1999999  # range for entries if winbind can't find proper #
        idmap config * : backend = tdb
        cups options = raw

Thanks
	Derek


-----Original Message-----
From: Rowland Penny [mailto:rowlandpenny at googlemail.com] 
Sent: Tuesday, December 03, 2013 4:30 PM
To: Werthmuller, Derek; samba at lists.samba.org
Subject: Re: [Samba] Winbind backend = ldap pull uid-number and gid-number ldap values ?

On 03/12/13 21:07, Werthmuller, Derek wrote:
> If I use sudo samba-tool user add <username> --uid-number=5000 and manually ad the gid-number via ldapadd to the Samba AD, does the winbind backend=ldap make use of those values?   Or does it just use LDAP to retrieve the sAMAccountName and primaryGroupID ?
>
>
> Thanks
>                  Derek
>
> Derek Werthmuller
> Director of Technology Innovation and Services Center for Technology 
> in Government
> 518.442.3892
> www.ctg.albany.edu
>
>
Hi, you can use samba-tool to add the gidNumber in the same way as adding the uidNumber, but I think that you are mixing up gidNumber and primaryGroupID, they are separate things. gidNumber being the users Linux group and primaryGroupID being the users primary window group.
Winbind can be setup to extract the values that you require, but the backend would be ADS i.e.
idmap config WORKGROUP:backend = ad

I think it might help if you posted what version of samba 4 you are using, what version of samba you want to connect to the AD and the relevant conf files you think you should be using, then we can try to get you up and running.

Rowland

More information about the samba mailing list