[Samba] Winbind doesn't honor rfc2307 data set in AD (Samba 4.3.6 on Debian jessie)

Simone Rossetto simros85 at gmail.com
Thu Mar 24 09:37:43 UTC 2016

Hi all, I've just installed Samba 4.3.6 on Debian jessie amd64 (as
described in the wiki [1]) and everything seems to work properly
except for rfc2307 data that winbind doesn't retrieve from AD backend,
shell is always "/bin/false", homedir is always
"/home/DOMAIN/username" and "getent passwd" also lists user without
unix attributes.
I have configured idmap_ad as described here [2] with rfc2307.

Hereafter my configuration:

# cat /etc/samba/smb.conf
  log level = 5
  workgroup = VBOX
  realm = VBOX.LOCAL
  netbios name = ARTURO
  interfaces = lo eth1
  bind interfaces only = Yes
  server role = active directory domain controller
  idmap_ldb:use rfc2307 = yes

  allow dns updates = nonsecure
  dns forwarder =

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999

  idmap config VBOX:backend = ad
  idmap config VBOX:schema_mode = rfc2307
  idmap config VBOX:range = 10000-99999

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes

# cat /etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind

# getent passwd
VBOX\simone:*:10000:100:Simone Rossetto:/home/VBOX/simone:/bin/false

# getent group
VBOX\domain admins:x:3000008:
VBOX\domain users:x:100:
VBOX\domain guests:x:3000012:

The user VBOX\dhcp has no unix attribute set but it is still listed
with an uid-number outside "valid" range:

# ldbsearch -H /var/lib/samba/private/sam.ldb cn=dhcp
dn: CN=dhcp,CN=Users,DC=vbox,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: dhcp
description: Unprivileged user for DNS updates via DHCP server
instanceType: 4
whenCreated: 20160322092859.0Z
uSNCreated: 3788
name: dhcp
objectGUID: f3db65e5-324e-4a7b-b2a7-0680cc15ea03
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-1467633039-1902955928-3249331824-1104
logonCount: 0
sAMAccountName: dhcp
sAMAccountType: 805306368
userPrincipalName: dhcp at vbox.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=vbox,DC=local
pwdLastSet: 131031125390000000
userAccountControl: 66048
accountExpires: 0
whenChanged: 20160322092935.0Z
uSNChanged: 3791
memberOf: CN=DnsAdmins,CN=Users,DC=vbox,DC=local
distinguishedName: CN=dhcp,CN=Users,DC=vbox,DC=local

While user VBOX\simone has both shell and homedir but they are not retrieved:

# ldbsearch -H /var/lib/samba/private/sam.ldb cn=simone
dn: CN=simone,CN=Users,DC=vbox,DC=local
cn: simone
sn: Rossetto
givenName: Simone
uidNumber: 10000
gecos: Simone Rossetto,,,
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
msSFU30NisDomain: vbox
msSFU30Name: simone
unixUserPassword: ABCD!efgh12345$67890
uid: simone
lockoutTime: 0
loginShell: /bin/bash
gidNumber: 100
unixHomeDirectory: /home/simone

What have I misconfigured?

Thanks, bye

[1] https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
[2] https://wiki.samba.org/index.php/Idmap_config_ad
[3] https://lists.samba.org/archive/samba/2015-December/196378.html

More information about the samba mailing list