[Samba] winbind rfc2307 not being obeyed

Jeff Sadowski jeff.sadowski at gmail.com
Mon Oct 30 16:53:07 UTC 2017 

I found what I needed to do
DOMAIN=MIND.UNM.EDU
SHORT=MIND
authconfig --enablekrb5 --krb5kdc=${DOMAIN}
--krb5adminserver=${DOMAIN} --krb5realm=${DOMAIN} --enablewinbind
--enablewinbindauth --smbsecurity=ads --smbrealm=${DOMAIN}
--smbservers=${DOMAIN} --smbworkgroup=${SHORT}
--winbindtemplatehomedir=/na/homes/%U --winbindtemplateshell=/bin/bash
--enablemkhomedir --enablewinbindusedefaultdomain --update

this worked

On Mon, Oct 30, 2017 at 10:11 AM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Mon, 30 Oct 2017 09:49:24 -0600
> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>
>> OS:fedora-26
>> SAMBA:4.6.8
>> [root at squints ~]# cat /etc/samba/smb.conf
>> [global]
>>    security = ads
>>    realm = MIND.UNM.EDU
>>    workgroup = MIND
>>    idmap config * : backend = tdb
>>    idmap config * : range = 2000-7999
>>    idmap config MIND:backend = ad
>>    idmap config MIND:schema_mode = rfc2307
>>    idmap config MIND:range = 8000-9999999
>>    winbind nss info = rfc2307
>>    winbind use default domain = yes
>>    # so that the users show up in getent
>>    winbind enum users = yes
>>    # so that the groups show up in getent
>>    winbind enum groups = yes
>>    restrict anonymous = 2
>>    #added the following 2 for the Badlock updates that change the
>> defaults #to no longer work with my domain controllers
>>    ldap server require strong auth = no
>>    client ldap sasl wrapping = plain
>>
>> [root at squints ~]# getent passwd jsadowski
>> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
>>
>> however from an ubuntu machine with the same smb.conf it looks like so
>> OS:ubuntu-16.04
>> SAMBA:4.3.11
>> root at daddles:~# getent passwd jsadowski
>> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>>
>> which is how AD shows it as well.
>>
>> Did something change in newer versions of samba that I need to add
>> more config options?
>>
>
> Yes, there have been changes and no, you don't have to use them and
> they wouldn't cause your problem.
>
> Your smb.conf shows you are using the 'ad' backend and you say you are
> using the same smb.conf on both machines.
>
> So, why are there these different:
>
> jsadowski:*:11490:8513::/home/MIND/jsadowski:/bin/false
> jsadowski:*:11490:8000::/na/homes/jsadowski:/bin/bash
>
> Which RFC2307 attributes have you added to AD ?
> The above user seems to have the same uidNumber, but Domain Users
> seems to have two different gidNumbers (8513 and 8000), the
> unixHomeDirectory also has two identities, as does loginShell
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list