[Samba] Security = ADS and uidnumbers

Jonathan Buzzard jonathan at buzzard.me.uk
Wed Jun 5 07:23:42 MDT 2013

On Wed, 2013-06-05 at 13:30 +0100, Rowland Penny wrote:
> Hi, I gave up on winbind, it is just too complicated and most, if not all,
> of the webpages I found via google are incomplete or just down right wrong.

It's actually dead simple, and these days the manual page is actually
accurate. Really if you cannot get it working you cannot read.

Now assuming that the BECAUSE domain actually has the uidNumber field
populated a working configuration would be (this was taken from a
working configuration and modified to change the domain).

# deal with NSS and the whole UID/SID id mapping stuff
	idmap config * : backend = tdb
	idmap config * : range = 2000000 - 2999999 
	idmap config BECAUSE : backend = ad
	idmap config BECAUSE : schema_mode = rfc2307
	idmap config BECAUSE : readonly = yes
	idmap config BECAUSE : range = 500 - 1999999
	idmap cache time = 604800
	idmap negative cache time = 20
	winbind cache time = 600
	winbind nss info = rfc2307
	winbind expand groups = 2
	winbind nested groups = yes
	winbind use default domain = yes
	winbind enum users = yes
	winbind enum groups = yes
	winbind refresh tickets = yes
	winbind offline logon = false

Noting of cause that you must have a valid join to the domain, that
winbind is running, that nscd is *NOT* running and you have an
appropriate /etc/nsswitch.conf

You might also have badly messed up tdb files from previous experiments.
I would recommend nuking them from orbit and starting afresh.


Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list