[Samba] (no subject)

Rowland Penny rpenny at samba.org
Sun Mar 3 19:35:53 UTC 2019 

On Sun, 3 Mar 2019 13:41:05 -0500
Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:

> On Sun, Mar 3, 2019 at 5:14 AM Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> [snip]
> > > Correct me if I'm wrong, but winbind (on a Samba DC) can **only**
> > > use "template homedir" and "template shell", and will not respect
> > > the RFC 2307 attributes in LDAP. Is that correct?
> >
> > Yes and no ;-)
> >
> > If you use the 'rid' backend, you must use the template lines. If
> > you use the 'ad' backend, then the RFC2307 attributes in AD will be
> > used.
> 
> I'm asking about Winbindd on the DC itself, where, as I understand it,
> there is no choice of idmap backend. The Samba Wiki [1] says:

I must go to to specsavers :-(

Yes, totally correct, you have to use the 'template' lines
> 
> > ... setting up an ID mapping back end, such as ad (RFC2307) or rid,
> > in the smb.conf file is not supported an [sic] can cause the samba
> > service to fail.
> > On a Samba Active Directory DC, Winbindd always reads the user IDs
> > (UID) and group IDs (GID) from the values set in the uidNumber and
> > gidNumber attributes set in the AD objects.
> 
> That page goes on to say:
> 
> > On a Samba DC, only the winbind template mode is supported.
> 
> This doesn't seem to agree with what you've said; it strongly implies
> that Winbindd, on a Samba DC, will never use the homeDirectory and
> loginShell attributes. 

No it doesn't and the worst part is that I wrote a large part of
that ;-)

> This mailing list post from 2015 [2] seems to
> agree.
> 
> While we're on the topic, I've noticed that passing --use-rfc2307 to
> `samba-tool domain provision` causes smb.conf to include this option:
> 
>     idmap_ldb:use rfc2307 = yes
> 
> That option is not documented in smb.conf [3].

No, it isn't, but it is required to use the RFC2307 attributes and the
other strange thing is, it isn't added by default to any other DC's you
might add.

> 
> Furthermore, this Samba Wiki page [4] says about that option:
> 
> > It is recommended not to use those mappings on the DCs. The default
> > idmap ldb mechanism is fine for domain controllers and less error
> > prone.
> 
> Which seems completely incorrect, given that the option was added
> during AD provisioning.

Well not doing something is always going to be less error prone ;-)
What it is saying is:
If you only use the DC for authentication, then the default idmap.ldb
is sufficient. The problems can start if you have any other Unix
machines and require the same numeric Unix IDs everywhere.

> 
> I appreciate your help in clearing up some of this contradictory
> information!
> 

I appreciate your feedback, it helps to make the wiki better.

Rowland

More information about the samba mailing list