[Samba] winbind rfc2307 not being obeyed

[Rowland Penny]

On Mon, 30 Oct 2017 09:49:24 -0600
Jeff Sadowski via samba <samba at lists.samba.org> wrote:

> OS:fedora-26
> SAMBA:4.6.8
> [root at squints ~]# cat /etc/samba/smb.conf
> [global]
>    security = ads
>    realm = MIND.UNM.EDU
>    workgroup = MIND
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-7999
>    idmap config MIND:backend = ad
>    idmap config MIND:schema_mode = rfc2307
>    idmap config MIND:range = 8000-9999999
>    winbind nss info = rfc2307
>    winbind use default domain = yes
>    # so that the users show up in getent
>    winbind enum users = yes
>    # so that the groups show up in getent
>    winbind enum groups = yes
>    restrict anonymous = 2
>    #added the following 2 for the Badlock updates that change the
> defaults #to no longer work with my domain controllers
>    ldap server require strong auth = no
>    client ldap sasl wrapping = plain
> 
> [root at squints ~]# getent passwd jsadowski
> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
> 
> however from an ubuntu machine with the same smb.conf it looks like so
> OS:ubuntu-16.04
> SAMBA:4.3.11
> root at daddles:~# getent passwd jsadowski
> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
> 
> which is how AD shows it as well.
> 
> Did something change in newer versions of samba that I need to add
> more config options?
> 

Yes, there have been changes and no, you don't have to use them and
they wouldn't cause your problem.

Your smb.conf shows you are using the 'ad' backend and you say you are
using the same smb.conf on both machines.

So, why are there these different:

jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash

Which RFC2307 attributes have you added to AD ?
The above user seems to have the same uidNumber, but Domain Users
seems to have two different gidNumbers (8513 and 8000), the
unixHomeDirectory also has two identities, as does loginShell 

Rowland