[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
rowlandpenny241155 at gmail.com
Wed Nov 11 08:11:39 UTC 2015
On 11/11/15 06:52, Michael Adam wrote:
> On 2015-11-10 at 13:57 +0000, Rowland Penny wrote:
>> On 10/11/15 13:42, mathias dufresne wrote:
>>> Thank you for this quick answer Louis.
>>> On DC:
>>> On DC I had to add one line to have winbind retrieving uidNumber AD field
>>> rather than having Winbind chosing some random UID for my users.
>>> This line is:
>>> idmap_ldb:use rfc2307 = yes
>>> as explained in https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>>> That's a start.
>>> Unfortunately winbind is still giving my users GID number set to 100, which
>>> is "Domain Users" group, when my users have gidNumber attribute set.
>> unfortunately the contents of the 'gidNumber' attribute is not used for the
>> users GID, you need to give 'Domain Users' a gidNumber and this is what will
>> be used.
> That is not unfortunate, but the right thing to do (imho),
> because the domain users group (or whatever the primary AD
> level group is for the user) is what will appear in the access
> token when the user accesses a file server.
Well, it is unfortunate if you expected it to be used, but yes it is the
right thing to do.
> We can think about making the use of the gidNumber attribute
> a configurable option (at least for the start in the domain
> member case with idmap_ad). But again, the right thing to do
> is use the SID-level primary group for primary gid of the unix
You don't actually need the gidNumber, every users primary group is
'Domain Users', you can change this, but it is slightly complicated and
it breaks things on windows.
>>> Same for shell, in AD loginShell is defined to /bin/bash for all my UNIX
>>> users and winbind gives /bin/false on DC. Perhaps that's what it expected
>>> by that tool but I still found that behaviour very confusing.
>>> Please note I know there is a "template shell" option in smb.conf.
>>> Unfortunately this option is, I think, to set all shell equal to that
>>> template, for all users. That's not what we need. If some user in AD wants
>>> to use CSH, this user must have a shell set to /bin/csh (or wherever it is
>>> installed), if some user has to be set to /bin/false, it must be. And for
>>> most of our users they would receive /bin/bash because it is what we
>>> configure in loginShell by default.
>> You can only use the 'template' lines on the DC, if you need to have
>> different home dirs or shells, use a member server.
> As discussed elsewhere, we should add the feature to use the AD
> attributes (configurably). Someone has to find the time to
> implement the changes.
I think this really needs to be given a bit more priority than it has in
the past, get this working and you get a good replacement for the now
defunct SBS server.
More information about the samba