[Samba] [samba] Member server winbind issue
Rowland Penny
rpenny at samba.org
Sun Jul 23 13:42:41 UTC 2017
On Sun, 23 Jul 2017 14:13:52 +0200
mathias dufresne <infractory at gmail.com> wrote:
> winbind nss info = rfc2307
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config AD:backend = ad
> idmap config AD:schema_mode = rfc2307
> idmap config AD:range = 8000-99999999
>
> I see two differences: ranges and spaces around ":" but I don't expect
> these spaces are mandatory.
No, not mandatory, just easier to read and Samba will ignore the spaces.
> Both group and user have uidNumber and gidNumber declared in AD,
> inside the range defined by "idmap config AD:range = 8000-99999999"
> dc02:~# ldbsearch -H $sam cn="domain users" dn objectclass gidNumber
> # record 1
> dn: CN=Domain Users,CN=Users,DC=ad,DC=domain,DC=tld
> objectClass: top
> objectClass: group
> gidNumber: 20000002
>
> So, here again, it seems to to be OK.
Everything looks okay.
>
> And I'm still completely puzzled.
Just a thought, does the libnss_winbind package match the rest of the
Samba packages ?
>
> DC are 4.6.5, I'll try to upgrade Samba client to some 4.6 too. I
> don't really expect this to change anything.
You will then need to use the 'new' idmap config settings.
>
> DC were provisioned without RFC2307. I set it up yesterday using
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Verifying_the_Domain_Controller_and_Active_Directory_Setup
> So I've added the following line in DCs smb.conf:
> idmap_ldb:use rfc2307 = yes
>
> after I followed "Installing the NIS Extensions" paragraph (with
> mainly copy/paste).
>
> After these changes by DC side I was able to manage Unix attributes
> with ADUC from some Windows client, which seems to mean the changes
> were correct.
If everything is correct, then it should work, what does running
'pam-auth-update' show ?
Rowland
More information about the samba
mailing list