[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?

john lists.john at gmail.com
Mon Apr 20 10:37:36 MDT 2015 

 Hello Andrey, thanks for the reply! I apologize for my delayed response!

On Fri, Apr 17, 2015 at 4:54 PM, Andrey Repin <anrdaemon at yandex.ru> wrote:

> Greetings, john!
>
> This is for POSIX users. Samba has nothing to do with them, other than to
> map
> Windows users to POSIX uids sometimes.
> Normally, Samba servers communicate with each other directly, without
> falling
> down to POSIX layer.
>
> > Do I need to install RFC2307 extensions per
> >
> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Administer_Unix_Attributes_in_Active_Directory
>
> You have to tell a little more about your setup, to begin with.
>

I am in the process of replacing an older Samba file server ver 3.5.6
running on Debian 6. This file server uses winbind with the idmap_rid
method for user mapping. It's been working well for 8 years or so.

We have a several Windows Domain Controllers running Win2K8R2 and a couple
running 2012R2. We have a single domain. I'd like the new Samba server to
be a member rather than a PDC. I have successfully joined this server to
the domain via kerberos, but don't necessarily need to use kerberos as my
auth method.

The reason I want to change from idmap_rid to an LDAP based method (hence
NSLCD) is we are trying to standardize all user logons accross all devices
to use UPN names which have the format username at ourdomain.org My
understanding from this thread of last year
https://lists.samba.org/archive/samba/2014-May/181372.html is that winbind
doesn't support UPN names. I was hoping to work around it with NSLCD


Here is my non-working smb.conf file for reference.
[global]
    workgroup = VANGUARD
    server string = sserve
    passdb backend = ldapsam:ldap://kram.vanguard.mydomain.org
    username map = /etc/samba/smbusers
    syslog = 0
    log file = /var/log/samba/%m
    smb ports = 139 445
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    name cache timeout = 3600
    max stat cache size = 16384
    domain logons = Yes
    preferred master = Auto
    domain master = No
    wins support = Yes
    ldap idmap suffix = ou=Idmap
    idmap config * : range = 10000-200000
    ldapsam:trusted = yes
    idmap config * : backend = ldap:ldap://kram.vanguard.mydomain.org
    map acl inherit = Yes

[ALLSTUDENTS]
    path = /home/ALLSTUDENTS
    admin users = "@VANGUARD\domain admins"
    read only = No
    create mask = 0700
    directory mask = 0700
    delete readonly = Yes

I appreciate you help.

John

More information about the samba mailing list