[Samba] winbind bug?

[Jonathan Buzzard]

On Fri, 2014-03-28 at 13:37 +0100, steve wrote:
> On Thu, 2014-03-27 at 20:22 +0000, Rowland Penny wrote:
> > >
> > Do you have access to the Windows server ? if you do, give all your 
> > users and groups the required RFC2307 attributes. You can do this using 
> > ADUC provided that it is showing the UNIX Attributes tab for users & 
> > groups. You can then pull these attributes with winbind, nlscd or sssd 
> > on the linux machine, your problem will then go away.
> > 
> +1
> As already suggested, this would solve all your problems, forever. Your
> windows admin simply needs to extend the schema:
> http://www.microsoft.com/en-us/download/details.aspx?id=8260
> 

It is highly unlikely that his Windows admins need to extend the schema.
If your AD servers are at 2003R2 or above your AD schema has already
been extended whether you wanted it or not. The critical sentence in the
webpage you link to is

   The schema must also be extended before a domain controller
   running Windows Server 2003 R2 is added to a forest, either by
   upgrade or installation of Active Directory. 

So while it was true that with 2000 and 2003 you had to optionally
extend the schema to get the RFC2307bis attributes, Microsoft helpfully
made it mandatory with 2003R2. Any domain that started off life as
2003R2 or later has the schema extension by default.

As a schema extension in AD is a one way operation, AD administrators
where traditionally very reluctant to extend the schema. It is orders of
magnitude easier to persuade your Windows admins to populate a
preexisting field in the AD than extend the schema.

See the following page for how to make the Unix attributes tab show up
in the AD snapin.

http://blog.scottlowe.org/2006/11/28/unix-attributes-tab-and-nispropdll/

Though you could easily use Powershell, LDIF's etc. to populate the
fields without the need for the Unix Attributes tab.


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.