On Sun, 2012-12-16 at 12:23 -0500, Thomas Simmons wrote: > Hello Takahashi, > > I am using ADUC to manage UNIX attributes and have created the attributes > for each test user. > > Just to make sure I understand you correctly; you're saying there is no way > to have S4 winbind use rfc2307 attributes for *nix authentication on a DC, > but it will work on a member server? This is a "clean" provision test setup > that I am running at home. In production (and testing at work) I will be > performing a classicupgrade. I have 300+ users with existing accounts > spread out across many servers. S3 (or it's LDAP backend) is used for auth > & auth on all of our services, so I need to ensure these attributes stay > the same. Worst case I can use NSS+LDAP, but I would prefer to use winbind > if possible. > > Here I have NSS+LDAP configured and getent reports the correct uidNumber > and gidNumber that I have specified in AD (rfc2307 attributes): > > root@ALW1:~# getent passwd | grep tuser > tuser1:*:10005:10000:Test User1:/home/tuser1:/bin/sh > tuser2:*:10006:10000:Test User2:/home/tuser2:/bin/sh > tuser3:*:10007:10000:Test User3:/home/tuser3:/bin/sh > > Here (DC) I am using winbind for authentication, and getent does not report > the correct uidNumber and gidNumber: > > [root@ADC1 ~]# getent passwd | grep tuser > TESTDOM\tuser1:*:3000025:100:Test User1:/home/tuser1:/bin/sh > TESTDOM\tuser2:*:3000026:100:Test User2:/home/tuser2:/bin/sh > TESTDOM\tuser3:*:3000027:100:Test User3:/home/tuser3:/bin/sh
On the DC, set: idmap_ldb:use rfc2307=yes We realise that having the different behaviour between the DC and the member server is very annoying, but we have not had the resources to rework this area of the codebase quite yet. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
