I wanted to use winbind to get user and group (i.e. nss) info from a Microsoft Active Directory LDAP Server that supports an RFC2307 compliant LDAP schema. I was unable to make that work until Guenther Deschner (see below) explained that I still had to specify idmap guid and idmap uid ranges.
That need is not intuitively obvious. I suggest it be removed, or at least explained in the smb.conf manpage. The man page suggests that 'idmap backend' and the idmap uid/gid ranges are mutually exclusive (except for when idmap backend = idmap_rid). To illustrate this, consider the first sentence under the description of the idmap backend parameter: idmap backend (G) The purpose of the idmap backend parameter is to allow idmap to NOT use the local idmap tdb file to obtain SID to UID / GID mappings, but instead to obtain them from a common LDAP backend. If we are to use LDAP for the map, then what good is it to specify the range of numbers that can be used in the map? Hasn't the range already been set by whatever process populated LDAP with the uid/gid's? Or are we to assume that winbind is the agent that will make the maps within the LDAP backend? Obviously the answers are, 'Yes, the range has already been set', and 'No, winbind is not making the maps within the LDAP backend. Something else must have assigned the uid/gids within the LDAP backend server.'. So, what is the reasoning behind requiring the specification of idmap uid and gid ranges when the backend is MsAD? Suppose there is a good reason. Then, what do we do with the problem of how to specify the idmap uid/gid ranges? Do we query LDAP to determine the current range in order to make sure the range we specify includes all uids/gids already set within LDAP? That is crazy. If we don't, then it must not matter what ranges we specify. So again, setting the range seems to have no natural, reasonable purpose. Lastly, if it really does make sense to set the idmap uid/gid ranges, then please update the smb.conf manual. It is very misleading (at least in the v3.0.22 rendition). Besides the misleading opening paragraph (pointed out above), there is another bit that implies setting the uid/gid ranges is not needed when using idmap backend, _except_ when the idmap backend is set to 'idmap_rid': An alternate method of SID to UID / GID mapping can be achieved using the idmap_rid plug-in. This plug-in uses the account RID to derive the UID and GID by adding the RID to a base value specified. This utility requires that the parameter``allow trusted domains = No'' must be specified, as it is not compatible with multiple domain environments. The idmap uid and idmap gid ranges must also be speci- fied. I suspect that as the code currently stands, it would be more accurate to remove that last sentence from the paragraph describing the idmap_rid plugin, and put it as part of the opening paragraph. I.e. I suspect that the current code requires you to specify the idmap uid/gid ranges no matter what your idmap backend is. In any case, thank you for the wonderful software we have in samba. Sincerely, Jon Detert * Jonathan C. Detert <[EMAIL PROTECTED]> [060427 12:11]: > * Guenther Deschner <[EMAIL PROTECTED]> [060427 11:56]: > > On Thu, Apr 27, 2006 at 11:21:45AM -0500, Jonathan C. Detert wrote: > > > with samba 3.0.22, I'm trying to integrate a linux box with Microsoft AD > > > by using winbind for authentication as well as for the source of nss info. > > > > > > When winbind is configured to use its own local id maps, everything > > > works fine. > > > > > > But when i configure winbind to use 'ad' as the source of nss info, > > > authentication fails, 'getent' commands return no results, and > > > 'wbinfo -r someusername' returns nothing (though wbinfo -u and -g work > > > correctly). > > -- snip -- > > > > And here is how smb.conf looks when winbind is configed to use AD for > > > nss: > > > -------------- > > > winbind enum groups = yes > > > winbind enum users = yes > > > winbind separator = + > > > winbind nested groups = yes > > > winbind nss info = sfu > > > winbind use default domain = yes > > > > > > idmap backend = ad > > > > You still need to have the idmap ranges set so that winbind does not fall > > into the "netlogon proxy only" mode. Does it work then? > > Yes, thanks! I don't understand that at all. What is 'netlogon proxy only' > mose? > > If winbind is mapping a sid to the uid/gid recorded in AD via the sfu > schema attributes, then why would I tell winbind what range it can use for > the uids and gids that it maps the sids to? > > Also, what relationship do my idmap id ranges have to the actual values > in AD for the msSFU30UidNumber and msSFU30GidNumber attributes? Do I > need to ensure that my idmap id ranges match the ranges of values used > in AD for msSFU30UidNumber and msSFU30GidNumber? -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba