[Samba] [samba] Member server winbind issue

mathias dufresne infractory at gmail.com
Sun Jul 23 12:13:52 UTC 2017 

2017-07-23 13:47 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Sun, 23 Jul 2017 13:33:05 +0200
> mathias dufresne <infractory at gmail.com> wrote:
>
>
> > Samba is 4.5.8+dfsg-2+deb9u1+b1 (it's a debian).
>
> Then you need to use the 'old' way of setting up 'idmap config'
>
>        winbind nss info = rfc2307
>
 winbind nss info = rfc2307

>        idmap config * : backend = tdb
>
 idmap config * : backend = tdb

>        idmap config * : range = 3000-7999
>
 idmap config * : range = 3000-7999

>        idmap config SAMDOM : backend = ad
>
 idmap config AD:backend = ad

>        idmap config SAMDOM : schema_mode = rfc2307
>
 idmap config AD:schema_mode = rfc2307

>        idmap config SAMDOM : range = 10000-999999
>
 idmap config AD:range = 8000-99999999

I see two differences: ranges and spaces around ":" but I don't expect
these spaces are mandatory.

>
> You can change the ranges if required, but all normal users and groups
> MUST have a uidNumber or gidNumber attribute containing a number inside
> the DOMAIN range you choose.
>

Both group and user have uidNumber and gidNumber declared in AD, inside the
range defined by "idmap config AD:range = 8000-99999999"


>
> You MUST also give 'Domain Users' a gidNumber inside the same range.
>

dc02:~# ldbsearch -H $sam cn="domain users" dn objectclass gidNumber
# record 1
dn: CN=Domain Users,CN=Users,DC=ad,DC=domain,DC=tld
objectClass: top
objectClass: group
gidNumber: 20000002

So, here again, it seems to to be OK.

And I'm still completely puzzled.

DC are 4.6.5, I'll try to upgrade Samba client to some 4.6 too. I don't
really expect this to change anything.

DC were provisioned without RFC2307. I set it up yesterday using
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Verifying_the_Domain_Controller_and_Active_Directory_Setup
So I've added the following line in DCs smb.conf:
idmap_ldb:use rfc2307 = yes

after I followed "Installing the NIS Extensions" paragraph (with mainly
copy/paste).

After these changes by DC side I was able to manage Unix attributes with
ADUC from some Windows client, which seems to mean the changes were correct.


>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list