[Samba] rfc2307 attributes on a samba ad-dc
Michael Tokarev
mjt at tls.msk.ru
Sat Nov 19 09:54:32 UTC 2022
19.11.2022 12:44, Zombie Ryushu via samba wrote:
> On 11/19/22 04:40, Michael Tokarev via samba wrote:
>> Hi!
>>
>> How one enables RFC2307 attributes for users on a Samba AD-DC?
>> All the settings about this which works on a member server,
>> does not work on an DC:
>>
>> [global]
>> netbios name = SVDCP
>> realm = PZ.CORPIT.RU
>> server role = active directory domain controller
>> workgroup = PZ
>>
>> idmap_ldb:use rfc2307 = yes
>> winbind nss info = rfc2307
>> template homedir = /home/%U
>> template shell = /bin/bash
>> winbind use default domain = yes
>>
>> idmap config pz : unix_primary_group = yes
>> idmap config pz : schema_mode = rfc2307
>> idmap config pz : range = 1000-4999
>> idmap config pz : backend = ad
>>
>>
>> (these are one of the many parameters I tried, some of them might be
>> conflicting with each other - I tried different combinations with
>> similar results).
>>
>> With this, on the DC, wbinfo -i <user> always shows template homedir,
>> template shell, and primary group=100. But on a member server, this
>> correctly shows homedir, shell and primary group stored in the AD.
>>
>> Where it gets the gid=100 from, and how to configure it so it will
>> show the correct info?
> Has to be passed at the time of the AD's Provision.
Hi! Thank you for the info.
I'm not sure I follow, I understand what are you trying to say.
What has to be passed?
If you're talking about --use-rfc2307 option for `samba-tool domain provision',
command, well, there are quite a few interesting questions there.
First of all, this option isn't documented -- samba-tool domain provision --help
does not list it. There are mentions of it in the wiki, though.
Second, as has been mentioned on the same wiki (which I just corrected) --
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions --
there's a way to add the missing attributes once the domain is already
provisioned.
Third, I did use --use-rfc2307 when creating (provisioning) the
domain, -- and this is clear from my initial question, since without
this option, schema would not contain rfc2307 attributes, and a
member server wouldn't be able to grab this info (which has to be
stored somewhere, too).
What else has to be passed at the time of the AD provision?
Thanks!
/mjt
More information about the samba
mailing list