[Samba] Using samba4 with AD and rfc2307 - what are the *current* practices?

Michael Brown michael at netdirect.ca
Wed Dec 11 15:04:07 MST 2013

I would like to get samba4 working with AD and rfc2307 attributes, while 
allowing the nice remote management available via samba4.

Using sernet-samba packages on 4.1.3-7.el6.x86_64 CentOS 6.

I have samba4 configured as follows:
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

smb.conf was partially generated by authconfig and is:

# Generated by authconfig on 2013/12/11 13:33:41
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = MAIN
security = ads
idmap config * : range = 16777216-33554431
winbind use default domain = true
winbind offline logon = true

winbind enum users = yes
winbind enum groups = yes
idmap config MAIN:backend = ad
idmap config MAIN:schema_mode = rfc2307
idmap config MAIN:range = 10000-100000
winbind nss info = rfc2307
#template shell =
#template homedir =

path = /var/stuff
read only = No

For reference, I also mention my RODC configured with:
# Global parameters
workgroup = MAIN
realm = main.adlab.netdirect.ca
netbios name = SLES-BREE
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate

path = /var/lib/samba/sysvol/main.adlab.netdirect.ca/scripts
read only = No

path = /var/lib/samba/sysvol
read only = No

I have a couple of problems:

1. with winbind set up like so, Administrator can no longer administer 
the server (manage share permissions, printers, etc) like he can without.
* more specifically, on my RODC box I can set up a share and browse to 
it as an admin (or someone with the appropriate privilege) and manage 
the permissions.
* with winbind configured, I don't have a uidNumber assigned to 
Administrator and thus he can't login to the server
* if I assign Administrator a uid, he can then login. But cannot 
administer the shares
* what is the correct thing to do here to get the seamless remote 
administration and winbind both working?

2. on the same server, I'm getting some extraneous group information:
[admin at files ~]$ id michael
uid=50000(michael) gid=10000(domain users) groups=10000(domain 
users),10001(delegated shire administrators),16777222(BUILTIN\users)
[admin at files ~]$ getent passwd michael

Not a huge deal, but would it make sense to map the well-known BUILTIN 
accounts somewhere consistent?
idmap config BUILTIN : backend = rid
idmap config BUILTIN : range = 9000-9999

3. non-NIS groups are not filtered
[admin at files ~]$ wbinfo -r sohnro
[admin at files ~]$ id sohnro
uid=50015(sohnro) gid=10000(domain users) groups=10000(domain 
[admin at files ~]$ getent passwd sohnro

Winbind is reporting AD groups that do not have a gidNumber as -1 - 
shouldn't these just be filtered out from the group membership list 
reported back to Linux?


Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth

More information about the samba mailing list