[Samba] unix_primary_group and unix_nss_info for rfc2307 idmap backend
Sebastian Lisic
lisic at uw.edu
Fri Dec 20 04:00:39 UTC 2019
To clarify, these two domains are part of the same forest and authentication works between them.
-----Original Message-----
POSIX attributes are working wonderfully for us within a single domain. The problem is when logging into a Linux machine that is part of domain B with an account from domain A.
Replicating the attributes into the global catalog should allow them to be accessible from domain B, but when I try setting uidNumber, unixHomeDirectory, gidNumber, and loginShell to "replicate this attribute to the Global Catalog" in the Active Directory Schema plugin I get this error "Could not change whether this attribute should be replicated to the global catalog servers".
This is on a Samba AD, so could this be done another way without a Microsoft utility?
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Christof Schmitt via samba
Sent: Thursday, December 19, 2019 3:26 PM
To: Rowland penny <rpenny at samba.org>
Cc: sambalist <samba at lists.samba.org>
Subject: Re: [Samba] unix_primary_group and unix_nss_info for rfc2307 idmap backend
On Thu, Dec 19, 2019 at 10:19:28PM +0000, Rowland penny via samba wrote:
> On 19/12/2019 21:46, Sebastian Lisic wrote:
> >Thanks for the quick reply, Rowland!
> >
> >The problem I have is that the clients of each domain do not have access to the other domain's DC. Only the DCs of each domain can talk to one another. With Microsoft no longer allowing POSIX attributes to be replicated in the global catalog, I can't think of a way of besides an ldap proxy to pass along this information.
> >
> As far as I am aware, Microsoft still allows Posix attributes, they
> are part of the standard schema, they stopped IDMU, which removed the
> Unix attributes tab. You just have to maintain the rfc2307 attributes
> in another way, which you must be doing, because you want to use them.
FYI,
https://blogs.technet.microsoft.com/activedirectoryua/2016/02/09/identity-management-for-unix-idmu-is-deprecated-in-windows-server/
is a useful blog post about the RF2307 attributes.
Christof
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list