[Samba] Security = ADS and uidnumbers
jonathan at buzzard.me.uk
Wed Jun 5 07:23:42 MDT 2013
On Wed, 2013-06-05 at 13:30 +0100, Rowland Penny wrote:
> Hi, I gave up on winbind, it is just too complicated and most, if not all,
> of the webpages I found via google are incomplete or just down right wrong.
It's actually dead simple, and these days the manual page is actually
accurate. Really if you cannot get it working you cannot read.
Now assuming that the BECAUSE domain actually has the uidNumber field
populated a working configuration would be (this was taken from a
working configuration and modified to change the domain).
# deal with NSS and the whole UID/SID id mapping stuff
idmap config * : backend = tdb
idmap config * : range = 2000000 - 2999999
idmap config BECAUSE : backend = ad
idmap config BECAUSE : schema_mode = rfc2307
idmap config BECAUSE : readonly = yes
idmap config BECAUSE : range = 500 - 1999999
idmap cache time = 604800
idmap negative cache time = 20
winbind cache time = 600
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = false
Noting of cause that you must have a valid join to the domain, that
winbind is running, that nscd is *NOT* running and you have an
You might also have badly messed up tdb files from previous experiments.
I would recommend nuking them from orbit and starting afresh.
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
More information about the samba