[Samba] The problem with setting up AD domain to Samba 4

Vladimir A Fomkin vaf at vaf.net.ru
Wed Jun 26 05:06:51 MDT 2013

Hi again!
I configured my AD samba PDC and BDC for applying uid from uidNumber line
But I have a problem - "uidNumber" is not a creating automaticaly. I must
create this for each user by hands. How to solve this problem?

root at pdc:/usr/local/samba/etc# cat smb.conf
# Global parameters
    workgroup = TEST
    realm = TEST.LOCAL
    netbios name = PDC
    server role = active directory domain controller
    dns forwarder =
    idmap_ldb:use rfc2307 = yes
    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config TEST:backend = ad
    idmap config TEST:schema_mode = rfc2307
    idmap config TEST:range = 500-40000
    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes

    path = /usr/local/samba/var/locks/sysvol/test.local/scripts
    read only = No

    path = /usr/local/samba/var/locks/sysvol
    read only = No

    path = /usr/local/samba/var/profiles
    read only = No
root at pdc:/usr/local/samba/etc#

2013/6/19 Rowland Penny <rowlandpenny at googlemail.com>

> Hi Steve, yes I agree with you, the problem is that people still try to
> set up an S4 AD server as if it was S3, this will never work.
> What people need to realise is that an S4 AD server is for all intents and
> purposes a windows AD server clone and to set it up the same
> It might be easier for the OP to reprovision again and start with a blank
> slate and this time do some searching on 'how do I connect a linux client
> to a windows server'
> Rowland
> On 19 June 2013 10:54, steve <steve at steve-ss.com> wrote:
>> On Wed, 2013-06-19 at 10:34 +0100, Rowland Penny wrote:
>> > The problem is that you are mixing up how samba 4 works with how samba
>> > 3 works, samba 4 winbind does not work the same as the samba 3
>> > winbind.
>> >
>> > What you need to do is give your linux users a uidNumber and groups
>> > like Domain Users a gidNumber, how you do this is up to you, it can be
>> > done from windows (ADUC?) or by using an ldif on linux, try a web
>> > search.
>> >
>> > You then need to extract this information on the linux clients, you
>> > can use winbind, but do not use the rid backend. If do you use the rid
>> > backend, whilst you will get the same UID for a user on any linux
>> > client that uses the exact same winbind settings, you will never get
>> > the same UID on the server.  Using the ad backend will get you the
>> > same UID where ever you ask for it, but in my opinion is not the way
>> > to go, try using sssd, it is a lot easier to set up.
>> >
>> >
>> > Rowland
>> >
>> Hi Rowland
>> From what I can work out from the posts, the OP is trying to do this on
>> a DC. What I find difficult to get across is the idea of storing stuff
>> in AD. In cases such as these I really can't see any other way to go.
>> The OP's idmap is really screwed up. I've had a go via the DC winbind
>> and the only way I could go with this was to delete the idmap entries
>> and start again. This is in the other post about an hour or so ago, if
>> you have any easier way. . .
>> Cheers,
>> Steve

С уважением,
Фомкин Владимир Андреевич

More information about the samba mailing list