[Samba] winbind/i­dmap­ issue on samba4 mem­ber s­erver

Rowland Penny rowlandpenny at googlemail.com
Mon Oct 20 12:24:27 MDT 2014

On 20/10/14 19:07, ?icro MEGAS wrote:
>> You are very nearly correct, your smb.conf on the member server has
>> these lines:
>> idmap config MYDOM:backend = ad
>> idmap config MYDOM:schema_mode = rfc2307
>> idmap config MYDOM:range = 500-40000
>> The first line makes winbind use the ad backend, the second ensures that
>> the rfc2307 attributes are used and the third line sets the range of
>> users to pull from AD.
>> What this boils down to is:
>> A) only users with a uidNumber will be pulled
>> B) the uidNumber must be between the range given in smb.conf, in your
>> case, between 500 - 40000
>> Any users without a uidNumber will be ignored, so any users that you
>> want to connect to the member server will have to have a uidNumber, also
>> groups will have to have a gidNumber. You can add other rfc2307
>> attributes but these are not really mandatory, they just make life a lot
>> easier ;-)
>> Rowland
> Is there any other way, so I can instruct my member server to pull ALL AD users, even if they have no UID assigned? Please point me to some useful tutorials/wikis for the additional rfc2307 attributes you told me about. I have two more questions on that topic:

You could use the rid backend instead or sssd. Have a look here for 
samba info: https://wiki.samba.org/index.php/Main_Page

> - as you see the output of "getent passwd" my user "MYDOM\Administrator" has the UID=0 which is confusing me. Let's say, I'd like to make this user account available on the member server, too. I would have to open ADUC tool, edit that user and in tab [UNIX Attribute] assign the NIS domain = MYDOM to it and he also needs a UID. Which UID should I give him? Give him the UID=0 again? What happens if I assign UID=10000 to that user, will that administrative account be restricted on any way? I don't want to mess up my configuration.
**DO NOT** do anything to the Administrator command, leave it alone.

> - In ADUC tool, as soon as I choose a user account and try to modify it under tab [UNIX Attribute] the default login shell is "/bin/sh" and the default homedir is = "/home/foobar". I would like to have other defaults here, the default shell should be "/bin/bash" and the default home should be "/home/MYDOM/foobar". I tried accomplishing that by following change in DC1 and DC2 smb.conf:
> template shell = /bin/false
> template homedir = /home/%D/%U
> I restarted afterwards sernet-samba-ad on DC1 and DC2 and I also restarted the untouched member server by restarting its services nmbd,smbd and winbindd. Unfortunately it didn't help. I still get as default the mentioned paths in ADUC tool. What am I doing wrong here?

The windows defaults you are getting in ADUC are just that, windows 
defaults, you cannot change them by putting anything into smb.conf, but 
you can change them on a the UNIX Attributes tab, just overwrite /bin/sh 

You could also use samba-tool on the DC to create users, only problem 
is, even though it has been pointed out several times and at least one 
patch prepared, it cannot add the unixHomeDirectory attribute. For help 
run 'samba-tool user create --help' on the DC.


> Mirco

More information about the samba mailing list