Hello Andrew, If functionality is not there, I certainly understand and can work around it. I just want to make sure I am not misunderstanding something.
When you say I should set "idmap_ldb:use rfc2307=yes" in smb.conf on the DC, do you mean that by doing so I can use winbind (and the rfc2307 attributes) for *nix authentication on the DC? I am confused because I already have "idmap_ldb:use rfc2307 = yes" in my smb.conf (it gets added automatically with the classicupgrade and I always provision my "clean" test setup with "--use-rfc2307"). That actually works fine - the rfc2307 attributes are there and I can modify them in ADUC. If I configure the server to use NSS+LDAP for authentication, my users's uid number, gid number, shell, etc are what I have specified in ADUC. When I try using winbind, it is not using the rfc2307 information from AD. Initially, "idmap_ldb:use rfc2307 = yes" was the only idmap related entry in my smb.conf. When that did not work I tried a bunch of other "idmap config DOMAIN" settings. Again, if this simply does not work at this time, I can use NSS and LDAP for logins on my DCs. With my S3 setup, I've always used LDAP for auth on *nix systems and am not terribly familiar with winbind, so I just want to make sure I'm not missing something. My next test will be setting up a member server. Can you tell me what entries I will need in my smb.conf to have winbind use the rfc2307 information from my S4 DC on member servers? Thank you for your help! On Sun, Dec 16, 2012 at 4:04 PM, Andrew Bartlett <[email protected]> wrote: > On Sun, 2012-12-16 at 12:23 -0500, Thomas Simmons wrote: > > Hello Takahashi, > > > > I am using ADUC to manage UNIX attributes and have created the attributes > > for each test user. > > > > Just to make sure I understand you correctly; you're saying there is no > way > > to have S4 winbind use rfc2307 attributes for *nix authentication on a > DC, > > but it will work on a member server? This is a "clean" provision test > setup > > that I am running at home. In production (and testing at work) I will be > > performing a classicupgrade. I have 300+ users with existing accounts > > spread out across many servers. S3 (or it's LDAP backend) is used for > auth > > & auth on all of our services, so I need to ensure these attributes stay > > the same. Worst case I can use NSS+LDAP, but I would prefer to use > winbind > > if possible. > > > > Here I have NSS+LDAP configured and getent reports the correct uidNumber > > and gidNumber that I have specified in AD (rfc2307 attributes): > > > > root@ALW1:~# getent passwd | grep tuser > > tuser1:*:10005:10000:Test User1:/home/tuser1:/bin/sh > > tuser2:*:10006:10000:Test User2:/home/tuser2:/bin/sh > > tuser3:*:10007:10000:Test User3:/home/tuser3:/bin/sh > > > > Here (DC) I am using winbind for authentication, and getent does not > report > > the correct uidNumber and gidNumber: > > > > [root@ADC1 ~]# getent passwd | grep tuser > > TESTDOM\tuser1:*:3000025:100:Test User1:/home/tuser1:/bin/sh > > TESTDOM\tuser2:*:3000026:100:Test User2:/home/tuser2:/bin/sh > > TESTDOM\tuser3:*:3000027:100:Test User3:/home/tuser3:/bin/sh > > On the DC, set: > > idmap_ldb:use rfc2307=yes > > We realise that having the different behaviour between the DC and the > member server is very annoying, but we have not had the resources to > rework this area of the codebase quite yet. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
