[Samba] Samba4 Dc Winbind and uidNumbers

Wed Mar 27 08:20:34 MDT 2013

Hi,
> On Wed, Mar 27, 2013 at 6:14 AM, Jim Potter <jimchuffff at googlemail.com> wrote:
>> Hi all,
>>
>> I'm trying to get the unix extensions working in AD. I'm obviously missing
>> something, but I can't see what...
>>
>> I've just created user Jim (using ADUC) and added a uidnumber (using
>> ADSIEdit). From this and what I have below, user Jim should have uidNumber
>> of 12345 (from AD) and not be prefixed with Domain name. This isn't
>> happening. Does anyone have any idea why not?
>>
>> cheers,
>>
>> Jim
>>
>>
>> Excerpt from getent passwd:
>> saned:x:110:117::/home/saned:/bin/false
>> FASTFOOD\Administrator:*:0:100::/home/FASTFOOD/Administrator:/bin/false
>> FASTFOOD\Guest:*:3000011:3000012::/home/FASTFOOD/Guest:/bin/false
>> FASTFOOD\krbtgt:*:3000016:100::/home/FASTFOOD/krbtgt:/bin/false
>> FASTFOOD\jim:*:3000019:100:Jim Chuffff:/home/FASTFOOD/jim:/bin/false
>>
>>
>> smb.conf:
>> [global]
>>          workgroup = FASTFOOD
>>          realm = FASTFOOD.LAN
>>          netbios name = CHIPSHOP
>>          server role = active directory domain controller
>>
>>          dns forwarder = 62.24.199.13
>>
>>          log level = 3
>>
>>          algorithmic rid base = 10000
>>
>>          idmap config * : range = 50001-60000
>>          idmap config * : backend = ad
>>
>>          idmap config FASTFOOD : range = 10000-50000
>>          idmap config FASTFOOD : backend = ad
> Hello Jim,
> Try adding these lines. If this doesn't work, I think you're being
> bitten by a known bug specific to this setup on an S4 DC. Andrew wrote
> a patch back in Nov-Dec, but it may not have made it into the
> codebase. Let me know if that doesn't work and I'll try to find that
> thread. I'm pretty sure someone came up with a work around.
>
> idmap config FASTFOOD : schema_mode = rfc2307
> idmap config FASTFOOD : default = yes
>
> winbind enum users = yes
> winbind enum groups = yes
>
>>          winbind nss info = rfc2307
>>          winbind use default domain = yes
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/fastfood.lan/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>>
>> My user from AD:
>> dn: CN=Jim Chuffff,CN=Users,DC=fastfood,DC=lan
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: Jim Chuffff
>> sn: Chuffff
>> givenName: Jim
>> instanceType: 4
>> whenCreated: 20130317212551.0Z
>> displayName: Jim Chuffff
>> uSNCreated: 3873
>> name: Jim Chuffff
>> objectGUID:: hXvFCY0pTUeIgltTLbnOcQ==
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> primaryGroupID: 513
>> objectSid:: AQUAAAAAAAUVAAAAbDu04eltc/ij6yQSUQQAAA==
>> accountExpires: 9223372036854775807
>> logonCount: 0
>> sAMAccountName: jim
>> sAMAccountType: 805306368
>> userPrincipalName: jim at fastfood.lan
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=fastfood,DC=lan
>> pwdLastSet: 130080291520000000
>> userAccountControl: 66048
>> uidNumber: 12345
>> whenChanged: 20130317212824.0Z
>> uSNChanged: 3877
>> distinguishedName: CN=Jim Chuffff,CN=Users,DC=fastfood,DC=lan
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
If you are running samba 4 as an AD DC (that is if you specify: server 
role = active directory domain controller)
you will need to configure winbind inside the samba binary. The settings 
you have are obeyed by the winbind binary which should be run e.g. on a 
member server, so you need to replace them with:
idmap_ldb:use rfc2307 = yes
that is the only settings (it defaults to no) which can affect winbind 
behavior on an AD DC.

Regards

Geza Gemes