[Samba] winbind against samba4 AD DC
Ali Bendriss
ali.bendriss at gmail.com
Thu Feb 21 08:44:40 MST 2013
On Thursday, February 21, 2013 04:03:53 PM Ali Bendriss wrote:
> Hello,
>
> Could you please give me some precision about the current state of the
> winbind support on a member server. I have tried to list what I understand
> about it. (I suppose that the libnss_winbind symlink are correct in /lib
> and/or lib64)
>
> * samba4 join as member
> join: samba-tool domain join <dnsdomain> MEMBER
>
> smb.conf should contain: idmap_ldb:use rfc2307 = yes
> the AD DC doesn't need to be provisioned with the option "--use-rfc2307"
> then the member should be able to read uidNumber gidNumber from the
> directory.
>
> * smbd + winbindd
> samba4: compile with --with-shared-modules=...,idmap_ad
> samba3 compile with --with-shared-modules=...,idmap_ad,--with-ads
>
> join: net ads join
> smb.conf should contain (from the wiki):
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config SHORTDOMAINNAME:backend = ad
> idmap config SHORTDOMAINNAME:schema_mode = rfc2307
> idmap config SHORTDOMAINNAME:range = 500-40000
> But the AD have to be provisioned with "--use-rfc2307"
> You then should add the objectclass: posixAccount in the AD samdb for each
> user and posixGroup for the group
>
>
> Is it mandatory to have provioned the AD with "--use-rfc2307" ?
>
> mac OSX client seems to be OK without, they can read uid/gid Number,
> but not linux client using smbd/winbindd.
> If yes what is the best way to add rfc2307 support to an already provisioned
> AD ? Applying ypServ30.ldif will it be good enough ?
>
I reply to myself after some more testing using winbindd against samba ADDC
It looks like that there is no need to provision the AD with --use-rfc2307.
the wiki page
https://wiki.samba.org/index.php/Samba4/Domain_Member#Make_domain_users.2Fgroups_available_locally_through_winbind
is correct but it should emphasize that the primary group of the users must
have the gid set.
And then every thing work out of the box, without the need to add the
objectClass posixAccount and posixGroup as well.
> Thanks
>
> Ali
More information about the samba
mailing list