Re: [Samba] RFC2307, AD, and Samba 3.6

Sun, 12 Aug 2012 06:27:05 -0700 

Hi,

Hi all,

I'm still struggling with getting samba 3.6 to use the uids and gids from my 
Active Directory 2008 R2 setup. I can see the users, I just can't get their 
UIDs mapped onto my linux machine.

I've configured AD to use it's "services for unix" feature, and through that, I got a 
"Unix Attributes" tab where I could enter fields like uid, home dir, shell, and primary 
GID.

My few questions:

1. Am I supposed to configure Samba to use rfc2307, or sfu?
2. As you can see in my config, below, I've configured an idmap range for the 
AD domain. It seems to be ignored, and instead, my users get placed in the 
wildcard domain's idmap range.
3. I found some advice (don't remember where) to try to delete these files when 
I change this part of my config:
        /var/run/samba/gencache*
        /var/cache/samba/winbindd_cache.tdb
        /var/lib/samba/winbindd_idmap.tdb
     Any thoughts about the need/value to delete these temp files is 
appreciated.
4. Finally, does anyone have suggestions of other things I can try?

thanks very much.

best,
-Nick
According to man idmap_ad you should have a generic idmap backend line as well, like: 

idmap backend = tdb
idmap uid range = some uninteresting range
idmap gid range = some uninteresting range
I've wrote uninteresting range, because you should specify a range you haven't placed you users via ADUC 
[global]   (from my smb.conf)
    workgroup = CORP
    server string = %h server (Samba, Ubuntu)

    security = ADS
    realm = CORP.xxx.COM
    allow trusted domains = yes
    winbind use default domain = yes
    winbind nested groups = YES
    winbind nested groups = YES
    winbind enum groups = yes
    winbind enum users = yes
    winbind nss info = rfc2307
    winbind refresh tickets = yes
    idmap config CORP : backend = ad
    idmap config CORP : schema_mode = rfc2307
    #idmap config CORP : range = 1000 - 99999
    idmap config * : default = yes
    #idmap config * : backend = tdb
    #idmap config * : range = 100000 - 199999
    idmap config * : range = 900 - 1999

    encrypt passwords = true

    obey pam restrictions = yes
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = true
    restrict anonymous = 2

When I perform an ldapsearch against my server, I see these attributes, among 
others:

msSFU30Name: nick
msSFU30NisDomain: corp
uidNumber: 1001
gidNumber: 1000
unixHomeDirectory: /home/nick
loginShell: /bin/bash


Regards

Geza
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to