One last thing that stumped me for awhile: For getent passwd to display an AD user with uid/gid, the user must (obviously) have a uidNumber defined, but their *primary* group must have a gidNumber defined as well. If either of these pieces are missing, the user will not show up.
----- Original Message ----- From: "Michael Ray" <[email protected]> To: [email protected] Sent: Thursday, February 7, 2013 3:49:01 PM Subject: Re: [Samba] AD uid/gid attributes Here is the solution that worked for me, on the off chance another poor soul has trouble figuring this all out: (That is assuming that you were in my boat, i.e. user authentication but UID/GID were not mapped) smb.conf : [global] netbios name = <name_to_join_AD_with> realm = DOMAIN_FQDN workgroup = DOMAIN preferred master = no security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes idmap config * : range = 2000 - 3000 idmap config * : backend = tdb idmap config DOMAIN : schema_mode = rfc2307 idmap config DOMAIN : backend = ad idmap config DOMAIN : range = 500 - 1000 idmap config DOMAIN : readonly = yes idmap config DOMAIN : default = yes template shell = /bin/bash winbind nss info = rfc2307 A couple notes of possible interest: idmap config * : backend = tdb -- is actually the default value so you do not *have* to specify it idmap config * : range = x - y -- this inclusive range *must* be explicitly declared as something and will break getent passwd for domain users if not declared. I'd be surprised if there weren't a possibility of an issue if you have multiple domains and this range mirrors the range for the domain, but in my case, with only 1 domain, I haven't seen an issue. idmap config DOMAIN : range a - b -- this is the inclusive range winbind is an authority for (i.e. for the above example, a user with uidNumber 1001 would not show up in getent passwd) Of course, for this to work, you must also have /etc/nsswitch.conf configured for winbind and /etc/krb5.conf configured for your domain. ----- Original Message ----- From: "Michael Ray" <[email protected]> To: [email protected] Sent: Wednesday, February 6, 2013 2:06:43 PM Subject: [Samba] AD uid/gid attributes Hey all- I know this kind of post has come up before, but I was unable to get results following previous postings, so if anyone can shed a little light on this, I'd be very grateful: The gist of the situation is this: PDC: Samba4 [4.1.0pre1-GIT-394622e ] Member: Samba3 (being used as a file share server) [3.6.3-2ubuntu2.3] The Samba3 machine is joined to the domain and authenticates domain users successfully for both ssh and local logins via winbind/nss/pam. However, the UID/GID attribute, although expressed in AD, is not the same. On the Samba4 machine itself I can use "getent" and verify the proper uid/gid. As I understand it though , when samba3 queries AD for information, by default its just authenticating user / password. It then makes a local UID/GID based on the range and backend specified in smb.conf. I saw one post talking about using LDAP to query UID/GID information from AD instead of a local idmap, but was unable to get it to work. I don't really want to add more overhead (i.e. LDAP) to this process if it can be avoided but will look at it again if there is no other way. Here is a pastebin of the smb.conf on the samba3 server: http://pastebin.com/GrwUDCJ2 So to anyone who can point me in the right direction / let me know what worked for them, again, I'd be grateful. Thanks, Mike Ray -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
