Thanks very much. For some reason, this time, when I uncommented those idmap range lines, it all worked.
Steve, to use rfc2307 out of the box, how do I specify uids for my users? I installed sfu to get the tab in the Users & Computers where I could set stuff like shell, uid, etc. thanks, -Nick On Aug 12, 2012, at 6:26 AM, Gémes Géza <[email protected]> wrote: > Hi, >> Hi all, >> >> I'm still struggling with getting samba 3.6 to use the uids and gids from my >> Active Directory 2008 R2 setup. I can see the users, I just can't get their >> UIDs mapped onto my linux machine. >> >> I've configured AD to use it's "services for unix" feature, and through >> that, I got a "Unix Attributes" tab where I could enter fields like uid, >> home dir, shell, and primary GID. >> >> My few questions: >> >> 1. Am I supposed to configure Samba to use rfc2307, or sfu? >> 2. As you can see in my config, below, I've configured an idmap range for >> the AD domain. It seems to be ignored, and instead, my users get placed in >> the wildcard domain's idmap range. >> 3. I found some advice (don't remember where) to try to delete these files >> when I change this part of my config: >> /var/run/samba/gencache* >> /var/cache/samba/winbindd_cache.tdb >> /var/lib/samba/winbindd_idmap.tdb >> Any thoughts about the need/value to delete these temp files is >> appreciated. >> 4. Finally, does anyone have suggestions of other things I can try? >> >> thanks very much. >> >> best, >> -Nick > According to man idmap_ad you should have a generic idmap backend line as > well, like: > > idmap backend = tdb > idmap uid range = some uninteresting range > idmap gid range = some uninteresting range > > I've wrote uninteresting range, because you should specify a range you > haven't placed you users via ADUC >> [global] (from my smb.conf) >> workgroup = CORP >> server string = %h server (Samba, Ubuntu) >> >> security = ADS >> realm = CORP.xxx.COM >> allow trusted domains = yes >> winbind use default domain = yes >> winbind nested groups = YES >> winbind nested groups = YES >> winbind enum groups = yes >> winbind enum users = yes >> winbind nss info = rfc2307 >> winbind refresh tickets = yes >> idmap config CORP : backend = ad >> idmap config CORP : schema_mode = rfc2307 >> #idmap config CORP : range = 1000 - 99999 >> idmap config * : default = yes >> #idmap config * : backend = tdb >> #idmap config * : range = 100000 - 199999 >> idmap config * : range = 900 - 1999 >> >> encrypt passwords = true >> >> obey pam restrictions = yes >> client use spnego = yes >> client ntlmv2 auth = yes >> encrypt passwords = true >> restrict anonymous = 2 >> >> When I perform an ldapsearch against my server, I see these attributes, >> among others: >> >> msSFU30Name: nick >> msSFU30NisDomain: corp >> uidNumber: 1001 >> gidNumber: 1000 >> unixHomeDirectory: /home/nick >> loginShell: /bin/bash >> > Regards > > Geza > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
