[Samba] Using samba4 with AD and rfc2307 - what are the *current* practices?

[Michael Brown]

I would like to get samba4 working with AD and rfc2307 attributes, while 
allowing the nice remote management available via samba4.

Using sernet-samba packages on 4.1.3-7.el6.x86_64 CentOS 6.

I have samba4 configured as follows:
krb5.conf:
[libdefaults]
default_realm = MAIN.ADLAB.NETDIRECT.CA
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

smb.conf was partially generated by authconfig and is:
[global]
#--authconfig--start-line--

# Generated by authconfig on 2013/12/11 13:33:41
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = MAIN
realm = MAIN.ADLAB.NETDIRECT.CA
security = ads
idmap config * : range = 16777216-33554431
winbind use default domain = true
winbind offline logon = true

#--authconfig--end-line--
winbind enum users = yes
winbind enum groups = yes
idmap config MAIN:backend = ad
idmap config MAIN:schema_mode = rfc2307
idmap config MAIN:range = 10000-100000
winbind nss info = rfc2307
#template shell =
#template homedir =

[stuff]
path = /var/stuff
read only = No

For reference, I also mention my RODC configured with:
# Global parameters
[global]
workgroup = MAIN
realm = main.adlab.netdirect.ca
netbios name = SLES-BREE
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate

[netlogon]
path = /var/lib/samba/sysvol/main.adlab.netdirect.ca/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No


I have a couple of problems:

1. with winbind set up like so, Administrator can no longer administer 
the server (manage share permissions, printers, etc) like he can without.
* more specifically, on my RODC box I can set up a share and browse to 
it as an admin (or someone with the appropriate privilege) and manage 
the permissions.
* with winbind configured, I don't have a uidNumber assigned to 
Administrator and thus he can't login to the server
* if I assign Administrator a uid, he can then login. But cannot 
administer the shares
* what is the correct thing to do here to get the seamless remote 
administration and winbind both working?

2. on the same server, I'm getting some extraneous group information:
[admin at files ~]$ id michael
uid=50000(michael) gid=10000(domain users) groups=10000(domain 
users),10001(delegated shire administrators),16777222(BUILTIN\users)
[admin at files ~]$ getent passwd michael
michael:*:50000:10000::/home/michael:/bin/bash

Not a huge deal, but would it make sense to map the well-known BUILTIN 
accounts somewhere consistent?
idmap config BUILTIN : backend = rid
idmap config BUILTIN : range = 9000-9999

3. non-NIS groups are not filtered
[admin at files ~]$ wbinfo -r sohnro
10000
-1
-1
16777222
[admin at files ~]$ id sohnro
uid=50015(sohnro) gid=10000(domain users) groups=10000(domain 
users),4294967295,4294967295,16777222(BUILTIN\users)
[admin at files ~]$ getent passwd sohnro
sohnro:*:50015:10000:SohnRo:/home/SohnRo:/bin/sh

Winbind is reporting AD groups that do not have a gidNumber as -1 - 
shouldn't these just be filtered out from the group membership list 
reported back to Linux?

M.

-- 
Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth