[Samba] winbind: homeDirectory being ignored

Rowland Penny rowlandpenny at googlemail.com
Wed Jun 25 04:10:41 MDT 2014


On 25/06/14 10:28, Brian Candler wrote:
> On 24/06/2014 16:12, Rowland Penny wrote:
>> Try adding 'unixHomeDirectory: /home/user7' to the users AD info
>>
>> 'homedirectory' & 'unixHomeDirectory' are different attributes. 
> Thanks for all the help so far.
>
> Aside: I wrote an LDAP server library some years ago, so I understand 
> some of the protocol internals. LDAP requires you to go to the trouble 
> of defining a globally unique OID to identify every attribute - and 
> then what actually gets sent on the wire is the text label, not the 
> OID. Go figure.
>
> RFC2307 uses the label "homeDirectory" for OID 1.3.6.1.1.1.1.3. It 
> seems that in AD you can put both "homeDirectory" and 
> "unixHomeDirectory" attributes, which are treated as different 
> attributes in the database and on the wire, except they have the same 
> OID. Yuk.
This may be true of RFC2307, but not in AD, yes "unixHomeDirectory" has 
the OID 1.3.6.1.1.1.1.3, but in AD "homeDirectory" has the OID 
1.2.840.113556.1.4.44.

>
> To be fair, RFC2307 is only an "experimental" RFC, and I don't think 
> RFC2307bis was ever finalised.
>
> As for groups: RFC2307 hardly mentions groups at all (memberUid is 
> just defined as an attribute, and that's it).
>
> Does anyone have any pointers to documentation about how Active 
> Directory maps Unix gid and supplementary groups from LDAP entries and 
> attributes? Because I'm having a hard time finding any. In particular, 
> it seems to be using the gidNumber from the group object. But if a 
> user is a member of multiple groups, how does it decide which is the 
> primary group and which are supplementary groups?

The Unix users primary group is whatever you put as the 'gidNumber' , 
after that it defaults to the windows way of doing things. If the 
windows groups do not have a 'gidNumber' they have to be mapped to a 
number that Unix understands, winbind does this with the idmap backend.

If you add a user to a group, AD automatically adds an entry to the user 
as well, so if you look at the group, you will find 'member' attributes 
containing the 'dn' of the user and if then look at the user, you will 
find a 'memberOf' attribute containing the group name.

You can also add a Unix user to a Unix group, this is done in the same 
way, but in this case the attributes are 'msSFU30PosixMember' & 
'msSFU30PosixMemberOf'

>
> Also: I can see no explicit binding between user8 and group "Domain 
> Users" (i.e. no memberOf: attribute). Are all users implicitly members 
> of this group?
If you look at user8 in AD you will very probably find this line:
primaryGroupID: 513

This is what makes user8 a member of 'Domain Users', 513 being the well 
known RID for the group and yes, all users initially get set to use the 
group as its primary AD group.

Rowland

>
> Thanks,
>
> Brian.
>



More information about the samba mailing list