[Samba] Winbind does not read uidNumber
Lars Hanke
debian at lhanke.de
Sun Jun 29 05:01:30 MDT 2014
Well, seems like I hit every mudhole that could be on the way ...
root at samba4:/# getent passwd | grep mgr
mgr:*:10000:10000:Lars LH. Hanke:/home/AD/mgr:/bin/bash
root at samba4:/# ldapsearch -LLL -D
"CN=Administrator,CN=Users,DC=ad,DC=microsult,DC=de" -x -W '(uid=mgr)'
uid uidNumber gidNumber sAMAccountName name gecos
Enter LDAP Password:
dn: CN=Lars LH. Hanke,CN=Users,DC=ad,DC=microsult,DC=de
name: Lars LH. Hanke
sAMAccountName: mgr
uid: mgr
uidNumber: 1001
gidNumber: 1001
gecos: Dr. Lars Hanke
root at samba4:/# grep mgr /etc/passwd
root at samba4:/#
So although proper POSIX information is in the AD, and no local
information present, winbind rolls dice for POSIX attributes. The
situation seems similar to that of Rowland and Derek Werthmuller last
December. There finally, Rowland suggested to use sssd.
My smb.conf:
[global]
workgroup = AD
realm = AD.MICROSULT.DE
security = ADS
restrict anonymous = 2
kerberos method = system keytab
os level = 0
local master = No
domain master = No
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : range = 10000-20000
idmap config AD: backend = ad
idmap config AD: range = 1001 - 2000
idmap config * : backend = tdb
Interestingly the bahaviour is no different, if I simply put idmap uid
and idmap gid lines instead of the more detailed config.
And, if you doubt that I'm querying the right LDAP:
root at samba4:/# cat /etc/ldap/ldap.conf
BASE DC=ad,DC=microsult,DC=de
URI ldap://samba.ad.microsult.de:3268
TLS_CACERT /etc/certs/cacert.pem
BTW: administrator neither maps to 0!
Moreover, I largely folled the Debian Wiki
https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory. In their
setup uids get prefixed by %D+. Unsure which I like better, but it's a
least an observation.
samba4 runs vanilla Debian Wheezy, i.e. samba 3.6.6. If this is a
_known_ issue with that version, I readily update to backports 4.1.7.
Otherwise, I have some reasons to explore the old version for a while.
Thanks for your help,
- lars.
More information about the samba
mailing list