[Samba] AD uid/gid attributes
mray at xes-inc.com
Thu Feb 7 14:49:01 MST 2013
Here is the solution that worked for me, on the off chance another poor soul has trouble figuring this all out:
(That is assuming that you were in my boat, i.e. user authentication but UID/GID were not mapped)
netbios name = <name_to_join_AD_with>
realm = DOMAIN_FQDN
workgroup = DOMAIN
preferred master = no
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
idmap config * : range = 2000 - 3000
idmap config * : backend = tdb
idmap config DOMAIN : schema_mode = rfc2307
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 500 - 1000
idmap config DOMAIN : readonly = yes
idmap config DOMAIN : default = yes
template shell = /bin/bash
winbind nss info = rfc2307
A couple notes of possible interest:
idmap config * : backend = tdb -- is actually the default value so you do not *have* to specify it
idmap config * : range = x - y -- this inclusive range *must* be explicitly declared as something and will break getent passwd for domain users if not declared. I'd be surprised if there weren't a possibility of an issue if you have multiple domains and this range mirrors the range for the domain, but in my case, with only 1 domain, I haven't seen an issue.
idmap config DOMAIN : range a - b -- this is the inclusive range winbind is an authority for (i.e. for the above example, a user with uidNumber 1001 would not show up in getent passwd)
Of course, for this to work, you must also have /etc/nsswitch.conf configured for winbind and /etc/krb5.conf configured for your domain.
----- Original Message -----
From: "Michael Ray" <mray at xes-inc.com>
To: samba at lists.samba.org
Sent: Wednesday, February 6, 2013 2:06:43 PM
Subject: [Samba] AD uid/gid attributes
I know this kind of post has come up before, but I was unable to get results following previous postings, so if anyone can shed a little light on this, I'd be very grateful:
The gist of the situation is this:
PDC: Samba4 [4.1.0pre1-GIT-394622e ]
Member: Samba3 (being used as a file share server) [3.6.3-2ubuntu2.3]
The Samba3 machine is joined to the domain and authenticates domain users successfully for both ssh and local logins via winbind/nss/pam.
However, the UID/GID attribute, although expressed in AD, is not the same.
On the Samba4 machine itself I can use "getent" and verify the proper uid/gid.
As I understand it though , when samba3 queries AD for information, by default its just authenticating user / password. It then makes a local UID/GID based on the range and backend specified in smb.conf.
I saw one post talking about using LDAP to query UID/GID information from AD instead of a local idmap, but was unable to get it to work.
I don't really want to add more overhead (i.e. LDAP) to this process if it can be avoided but will look at it again if there is no other way.
Here is a pastebin of the smb.conf on the samba3 server: http://pastebin.com/GrwUDCJ2
So to anyone who can point me in the right direction / let me know what worked for them, again, I'd be grateful.
To unsubscribe from this list go to the following URL and read the
More information about the samba