[Samba] rfc2307 attributes on a samba ad-dc
Rowland Penny
rpenny at samba.org
Sat Nov 19 12:36:50 UTC 2022
On 19/11/2022 09:40, Michael Tokarev via samba wrote:
> Hi!
>
> How one enables RFC2307 attributes for users on a Samba AD-DC?
> All the settings about this which works on a member server,
> does not work on an DC:
>
> [global]
> netbios name = SVDCP
> realm = PZ.CORPIT.RU
> server role = active directory domain controller
> workgroup = PZ
>
> idmap_ldb:use rfc2307 = yes
> winbind nss info = rfc2307
> template homedir = /home/%U
> template shell = /bin/bash
> winbind use default domain = yes
>
> idmap config pz : unix_primary_group = yes
> idmap config pz : schema_mode = rfc2307
> idmap config pz : range = 1000-4999
> idmap config pz : backend = ad
>
>
> (these are one of the many parameters I tried, some of them might be
> conflicting with each other - I tried different combinations with
> similar results).
>
> With this, on the DC, wbinfo -i <user> always shows template homedir,
> template shell, and primary group=100. But on a member server, this
> correctly shows homedir, shell and primary group stored in the AD.
>
> Where it gets the gid=100 from, and how to configure it so it will
> show the correct info?
>
> Thanks!
>
> /mjt
>
The only rfc2307 attributes that you can use on a Samba AD DC are the
uidNumber and gidNumber attributes, all others are ignored. Even they
are ignored unless you have 'idmap_ldb:use rfc2307 = yes' set.
The gid '100' is coming from idmap.ldb and shows that you haven't given
Domain Users a gidNumber. You might as well remove most of what you have
added, they do not work on a DC, the exception being the 'template' lines.
Rowland
More information about the samba
mailing list