[Samba] (no subject)

Jonathon Reinhart jonathon.reinhart at gmail.com
Sun Mar 3 18:41:05 UTC 2019 

On Sun, Mar 3, 2019 at 5:14 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
[snip]
> > Correct me if I'm wrong, but winbind (on a Samba DC) can **only** use
> > "template homedir" and "template shell", and will not respect the RFC
> > 2307 attributes in LDAP. Is that correct?
>
> Yes and no ;-)
>
> If you use the 'rid' backend, you must use the template lines. If you
> use the 'ad' backend, then the RFC2307 attributes in AD will be used.

I'm asking about Winbindd on the DC itself, where, as I understand it,
there is no choice of idmap backend. The Samba Wiki [1] says:

> ... setting up an ID mapping back end, such as ad (RFC2307) or rid, in
> the smb.conf file is not supported an [sic] can cause the samba
> service to fail.
> On a Samba Active Directory DC, Winbindd always reads the user IDs
> (UID) and group IDs (GID) from the values set in the uidNumber and
> gidNumber attributes set in the AD objects.

That page goes on to say:

> On a Samba DC, only the winbind template mode is supported.

This doesn't seem to agree with what you've said; it strongly implies
that Winbindd, on a Samba DC, will never use the homeDirectory and
loginShell attributes. This mailing list post from 2015 [2] seems to
agree.

While we're on the topic, I've noticed that passing --use-rfc2307 to
`samba-tool domain provision` causes smb.conf to include this option:

    idmap_ldb:use rfc2307 = yes

That option is not documented in smb.conf [3].

Furthermore, this Samba Wiki page [4] says about that option:

> It is recommended not to use those mappings on the DCs. The default
> idmap ldb mechanism is fine for domain controllers and less error
> prone.

Which seems completely incorrect, given that the option was added during
AD provisioning.

I appreciate your help in clearing up some of this contradictory
information!

Jonathon


[1] https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC#Identity_Mapping_on_a_Samba_Domain_Controller
[2] https://lists.samba.org/archive/samba/2015-June/192072.html
[3] https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
[4] https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#RFC2307_on_AD_Domain_Controllers

More information about the samba mailing list