There is one "UNIX attribute" tab and one "Members Of" tab.
During some tests we discover the following facts
=================================================
In "UNIX attribute" tab:
========================
winbind is only interested in the UID field ->
in ldap tree the attribute "uidnumber".
If you're talking SFU, it doesn't use uidnumber. It uses attribute
msSFU30UidNumber and displays UID on the Unix Attributes tab.
I don't have a Windows 2003 R2 for comparison. Are you really using SFU
(Services For Unix 3.0) or do you have the newer 2003 R2?
I use 2003 R2 and did install the "Unix plugin" for AD schemata
extension from Windows component setup.
The other attributes from "UNIX attribute" tab are written to ldap
tree, but not used by winbind on linux side.
For example we set the following parameter in smb.conf:
winbind nss info = sfu
Of course we could define our own template bash/home with the
"template home" and "template shell" parameter, but its better the
"sfu" will work, so we would configure this parameter by the tab.
Winbind only uses this parameter when it creates a Unix account. Which
shouldn't happen for your AD domain members if your AD is mapped correctly.
winbind uses this parameter only if "it" creates a unix account ? In
case if i create a unix account with "adduser" on terminal ?
The mapping seems to be correctly if i have a look at "getent passwd +
getent group"
The "primary Group" is written to the ldap tree but not used by
winbind on the unix side.
I meant the "primary Group" text field from:
"UNIX attribute" tab
seems to be NOT used by winbind.
The "primary group" which you can set:
by clicking the button "primary group" in "Members Of" tab
IS USED by winbind perfectly.
Iam sorry if my explanation wasnt clear at my last posting.
# net ads testjoin
Join is OK
# wbinfo -i forest\\jdoe
FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
# getent passwd|grep jdoe
FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
# getent group|grep 100
FOREST\domain users:x:100:
You can set the value msSFU30Gecos and winbind will report it, otherwise
"Display Name" is used.
In "Members Of" tab:
====================
In this tab you can choose a group from a list and there is a button
you could set a Unix primary group by klicking. This will be read by
winbind only. But this have no force to the primary group ID on the
"UNIX attribute" tab.
What do you say ? Did we configure something wrong ? Is this the
normal function ?
I needed to use the "idmap config" values:
idmap domains = FOREST
idmap config FOREST:readonly = yes
idmap config FOREST:backend = ad
idmap config FOREST:range = 0 - 29999
idmap config FOREST:schema_mode = sfu
idmap alloc backend = tdb
idmap alloc config:range = 50000-50999
and of course in nsswitch.conf:
passwd: compat winbind
group: compat winbind
some people like to use "files" instead of "compat", but that's about
NIS semantics and doesn't matter to winbind.
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 60
idmap backend = ad
idmap uid = 6000-27000
idmap gid = 600-7000
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
winbind refresh tickets = yes
allow trusted domains = yes
winbind nss info = sfu template
My nsswitch.conf is like yours.
We want to use the "compat" mode because we hope we could exclude some
users for login. This isnt possible to winbind ?!
Alternatively i know pam_require. Do you know an opportunity to do this
task ?
Is there a part of documentation where the ldap attributes are shown
which are used by winbind ? Or do i have to look up this at source code :-)
Thanks a lot for your posting,
Andy
Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
