On 13/01/12 16:32, Adam Tauno Williams wrote:
On Fri, 2012-01-13 at 02:51 +0100, steve wrote:
On 12/01/12 23:02, Adam Tauno Williams wrote:
Quoting steve<st...@steve-ss.com>:
Samba4's winbind does not support RFC2307, so doing this is pretty
rough. I think you need to either use CIFS + winbind everywhere or
somehow maintain an external idmap.
Yea, it is horrible. We are staring down the barrell of the same
gun.
As Jeremy said, they are discussing what needs to be done before
releasing Samba 4.0.0 and how to reconcile Samba 3's winbind and Samba
4's winbind etc., so if something that is critical for you does not
currently work, you should file a bug report.
Yep. I realise the 'alphaness' of Samba 4 but I think I am not alone
with my issue. I think I should be easy to fix now before it goes beta.
https://bugzilla.samba.org/show_bug.cgi?id=8635
Holy awesome; it got better. I just tested an upgrade of our
production domain and it appears that Samba4 took [and kept] the UID
number from the existing account.
Production
-------------
[root@littleboy ~]# id adam
uid=437(adam) gid=230(cis) groups=230(cis)
Test Server
------------
barbel:~ # wbinfo -i adam
BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false
Home directory is a bit wierd, and the gidNumber didn't stick. But at
least I have the uidNumber.
4.0.0alpha18-GIT-103c1cb [openSUSE 12.1 x86_64] transitioned via
"samba-tool domain samba3upgrade" from Samba S3w/LDAPSAM.
Nice find you have there. Meanwhile I've got it working. Very rough. But
working for 10 hour Kerberos sessions at a time;)
http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html
Steve
What I'm puzzled by [and maybe this is a deficiency in Samba4 still] is
that while the LDAP modify works the wbinfo output doesn't change.
dn: CN=adam,CN=Users,DC=micore,DC=us
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: objectclass
objectclass: shadowaccount
-
add: uidnumber
uidnumber: 437
-
add: gidnumber
gidnumber: 230
-
add:unixhomedirectory
unixhomedirectory: /home/adam
-
add: loginshell
loginshell: /bin/ksh
barbel:~ # wbinfo -i adam
BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false
So obviously the gidNumber attribute is ignored. The uidNumber
attribute didn't exist in the object - so that is obviously coming from
elsewhere. Guess I need to dig into winbind.
I'm currently *assuming* that these attributes are compatible with SFU
for Windows and that they'd replicate to a Windows AD server.
Yes, you can change the uidnumber but not the gidnumber. In your
example, it missed the shell too although it works if you put e.g.
template shell = /bin/bash in smb.conf.
Using the openSUSE nss-pam-ldapd module I have this:
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group uniqueMember msSFU30PosixMember
# Mappings for Active Directory
#pagesize 1000
#referrals off
#filter passwd
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map passwd uid sAMAccountName
map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow
(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
#map group uniqueMember member
I feel I'm getting somewhere at last!
Cheers
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
