[Samba] winbind against samba4 AD DC

Ali Bendriss ali.bendriss at gmail.com
Thu Feb 21 08:03:53 MST 2013


Could you please give me some precision about the current state of the winbind 
support on a member server. I have tried to list what I understand about it.
(I suppose that the libnss_winbind symlink are correct in /lib and/or lib64)

* samba4 join as member
join: samba-tool domain join <dnsdomain> MEMBER

smb.conf should contain: idmap_ldb:use rfc2307 = yes
the AD DC doesn't need to be provisioned with the option "--use-rfc2307"
then the member should be able to read uidNumber gidNumber from the directory.

* smbd + winbindd 
samba4: compile with --with-shared-modules=...,idmap_ad 
samba3 compile with --with-shared-modules=...,idmap_ad,--with-ads

join: net ads join
smb.conf should contain (from the wiki):

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config SHORTDOMAINNAME:backend = ad
   idmap config SHORTDOMAINNAME:schema_mode = rfc2307
   idmap config SHORTDOMAINNAME:range = 500-40000
But the AD have to be provisioned with "--use-rfc2307"
You then should add the objectclass: posixAccount in the AD samdb for each 
user and posixGroup for the group

Is it mandatory to have provioned the AD with "--use-rfc2307" ?

mac OSX client seems to be OK without, they can read uid/gid Number,
but not linux client using smbd/winbindd.
If yes what is the best way to add rfc2307 support to an already provisioned 
AD ? Applying ypServ30.ldif will it be good enough ?



More information about the samba mailing list