[Samba] Samba 4, winbind and Active Directory integration Microsoft Windows Services for UNIX

Rowland Penny rowlandpenny at googlemail.com
Fri Feb 27 07:17:22 MST 2015 

On 27/02/15 14:04, Markert, Martin wrote:
> Hi,
> I've successfully configure idmap_rid to read id mappings from our AD servers:
>
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind nested groups = Yes
>          winbind separator = +
>          winbind offline logon = false
>          idmap config *:backend = rid
>          idmap config *:range = 50000-99999
>          idmap config *:schema_mode = rfc2307
>
> But when I configure idmap_ad  I'm not able to get the uidNumber and gidNumber from the AD servers:
>
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind nested groups = Yes
>          winbind separator = +
>          winbind offline logon = false
>          idmap config ARRI:backend = ad
>          idmap config ARRI:range = 1000-999999
>          idmap config ARRI:schema_mode = rfc2307
>
> [root at supermdc ~]# id schafha
> uid=4294967295 gid=4294967295 groups=4294967295
>
> This user "schafha" actually has a uidNumber 10000 and gidNumber 10000. Changing "idmap config ARRI" to "idmap config *" does not help:
>
> [root at supermdc ~]# id schafha
> id: markert1: No such user
>
> Setup:
> AD: Windows Server 2008 RC2 with Windows Services for UNIX
> AD member: CentOS 6.6, sernet-samba-4.1.14-9
>
> Please note: not all users and groups listed in AD have got a uidNumber and gidNumber? Is this a problem?
>
> Kind regards,
> Martin
>
>
> Martin Markert
> Systems Integrator
>   
>
> Tuerkenstr. 89, 80799 München / Germany
> Phone +49 89 3809-1848
>
> EMail MMarkert at arri.de
>
>    Visit us on Facebook!________________________________
>   [http://www.arricommercial.de/wp-content/uploads/2015/02/2015-02-25-ARRI-Media_E-mail-Signatur_Oscar.jpg] <http://www.arri.de/filmtv>
>
> Get all the latest information from www.arri.de/filmtv<http://www.arri.de/filmtv>, Facebook<https://www.facebook.com/pages/ARRI-Film-TV/117731121606986?fref=ts>
>
> ARRI Film & TV Services GmbH
> Sitz: München - Registergericht: Amtsgericht München
> Handelsregisternummer: HRB 69396
> Geschäftsführer: Franz Kraus; Dr. Jörg Pohlman; Josef Reidinger

OK, try this:

    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    idmap config ARRI : backend = ad
    idmap config ARRI : schema_mode = rfc2307
    idmap config ARRI : range = 10000-99999

also are you using sssd on the AD member ?

Rowland

More information about the samba mailing list