[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?

john lists.john at gmail.com
Tue Apr 21 17:19:59 MDT 2015

On Tue, Apr 21, 2015 at 12:06 PM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:

>> Here's my smb.conf file
>> [global]
>>    workgroup = VANGUARD
>>    security = ADS
>>    dedicated keytab file = /etc/krb5.keytab
>>    kerberos method = secrets and keytab
>>    idmap config *:backend = tdb
>>    idmap config *:range = 2000-9999
>>    idmap config VANGUARD:backend = ad
>>    idmap config VANGUARD:schema_mode = rfc2307
>>    idmap config VANGUARD:range = 10000-99999

> 'uidNumber' attribute containing a number that is inside the range you set
> for the domain in smb.conf. If this number is not there, or it is either too
> small or too large, the user will be ignored as a domain user and the other
> range will be used. It sounds like you need to check just what 'uidNumbers'
> you have in smb.conf, either that or you need to use the 'rid' backend, see
> the member server page on the wiki:

Hello Rowland,

You can see the extract from my smb.conf file above, it's basically
the one on the page you recommended:

In AD the user flyboy has the following Unix Attributes:
NIS Domain: vanguard
UID: 10000
login shell: /bin/sh
Home Directory: /home/flyboy
Primary Group name/GID: Domain Users

However I now realize that using the idmap = AD method breaks logins
for ssh users logging in with the UPN name, even though it appears to
work for clients using smbclient. E.g. when nsswitch uses winbind upn
names are not supported for ssh

E.g. ssh flyboy at mydomain.org@debian-tester

doesn't work

but smbclient \\\\debian-tester\ALLSTUDENTS -Uflyboy at mydomain.org works

My Goal: I need clients to be able to reach linux shares via SSH and
SMB using UPN names. These users need to have consistent UID/GID
mappings. NSLCD appears to give me UID/GID info from AD and allows
logon via UPN over ssh, but I don't know how to make Samba/winbind map
UID/GID's against the info returned by NSLCD/AD. The configuration
method outlined at
appears to break logons via ssh for UPN names.

So here's a refactoring of my orignal question:  can winbind reference
UID/GID information returned by NSLCD from AD? If so how? If not what
is the purpose of this page

Thanks for sticking with me!


More information about the samba mailing list