[Samba] Samba4 Dc Winbind and uidNumbers

Jim Potter jimpotter at orange.net
Wed Mar 27 08:43:20 MDT 2013 

Thanks for the replies on this. I'm on holiday at the mo, but will try it
when I get home and get back to you.

cheers,

Jim

On Mar 27, 2013 2:21 PM, "Gémes Géza" <geza at kzsdabas.hu> wrote:
>
> Hi,
>
>> On Wed, Mar 27, 2013 at 6:14 AM, Jim Potter <jimchuffff at googlemail.com>
wrote:
>>>
>>> Hi all,
>>>
>>> I'm trying to get the unix extensions working in AD. I'm obviously
missing
>>> something, but I can't see what...
>>>
>>> I've just created user Jim (using ADUC) and added a uidnumber (using
>>> ADSIEdit). From this and what I have below, user Jim should have
uidNumber
>>> of 12345 (from AD) and not be prefixed with Domain name. This isn't
>>> happening. Does anyone have any idea why not?
>>>
>>> cheers,
>>>
>>> Jim
>>>
>>>
>>> Excerpt from getent passwd:
>>> saned:x:110:117::/home/saned:/bin/false
>>> FASTFOOD\Administrator:*:0:100::/home/FASTFOOD/Administrator:/bin/false
>>> FASTFOOD\Guest:*:3000011:3000012::/home/FASTFOOD/Guest:/bin/false
>>> FASTFOOD\krbtgt:*:3000016:100::/home/FASTFOOD/krbtgt:/bin/false
>>> FASTFOOD\jim:*:3000019:100:Jim Chuffff:/home/FASTFOOD/jim:/bin/false
>>>
>>>
>>> smb.conf:
>>> [global]
>>>          workgroup = FASTFOOD
>>>          realm = FASTFOOD.LAN
>>>          netbios name = CHIPSHOP
>>>          server role = active directory domain controller
>>>
>>>          dns forwarder = 62.24.199.13
>>>
>>>          log level = 3
>>>
>>>          algorithmic rid base = 10000
>>>
>>>          idmap config * : range = 50001-60000
>>>          idmap config * : backend = ad
>>>
>>>          idmap config FASTFOOD : range = 10000-50000
>>>          idmap config FASTFOOD : backend = ad
>>
>> Hello Jim,
>> Try adding these lines. If this doesn't work, I think you're being
>> bitten by a known bug specific to this setup on an S4 DC. Andrew wrote
>> a patch back in Nov-Dec, but it may not have made it into the
>> codebase. Let me know if that doesn't work and I'll try to find that
>> thread. I'm pretty sure someone came up with a work around.
>>
>> idmap config FASTFOOD : schema_mode = rfc2307
>> idmap config FASTFOOD : default = yes
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>>>          winbind nss info = rfc2307
>>>          winbind use default domain = yes
>>>
>>> [netlogon]
>>>          path = /var/lib/samba/sysvol/fastfood.lan/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /var/lib/samba/sysvol
>>>          read only = No
>>>
>>> My user from AD:
>>> dn: CN=Jim Chuffff,CN=Users,DC=fastfood,DC=lan
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: Jim Chuffff
>>> sn: Chuffff
>>> givenName: Jim
>>> instanceType: 4
>>> whenCreated: 20130317212551.0Z
>>> displayName: Jim Chuffff
>>> uSNCreated: 3873
>>> name: Jim Chuffff
>>> objectGUID:: hXvFCY0pTUeIgltTLbnOcQ==
>>> badPwdCount: 0
>>> codePage: 0
>>> countryCode: 0
>>> badPasswordTime: 0
>>> lastLogoff: 0
>>> lastLogon: 0
>>> primaryGroupID: 513
>>> objectSid:: AQUAAAAAAAUVAAAAbDu04eltc/ij6yQSUQQAAA==
>>> accountExpires: 9223372036854775807
>>> logonCount: 0
>>> sAMAccountName: jim
>>> sAMAccountType: 805306368
>>> userPrincipalName: jim at fastfood.lan
>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=fastfood,DC=lan
>>> pwdLastSet: 130080291520000000
>>> userAccountControl: 66048
>>> uidNumber: 12345
>>> whenChanged: 20130317212824.0Z
>>> uSNChanged: 3877
>>> distinguishedName: CN=Jim Chuffff,CN=Users,DC=fastfood,DC=lan
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>
> If you are running samba 4 as an AD DC (that is if you specify: server
role = active directory domain controller)
> you will need to configure winbind inside the samba binary. The settings
you have are obeyed by the winbind binary which should be run e.g. on a
member server, so you need to replace them with:
> idmap_ldb:use rfc2307 = yes
> that is the only settings (it defaults to no) which can affect winbind
behavior on an AD DC.
>
> Regards
>
> Geza Gemes
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list