Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
A. On Sat, 2013-09-28 at 15:49 +0100, Rowland Penny wrote: [SNIP] If you do a google search for 'uidNumber' for instance, you will find this webpage: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680511%28v=vs.85%29.aspx This plainly shows that the earliest windows server that had 'uidNumber' was 2003R2 so as 'uidNumber' is in Samba4, samba4 function level should be 2003R2, but Samba4 seems to be using the 2008 schema (at least that is the only one that comes with samba 4) so should the function level be 2008? Wrong, the uidNumber etc. where available in Server 2003 (and Server 200 for that matter) however it was an *optional* schema extension. I know I was working somewhere at the time where the AD admins where like many AD admins very reluctant to extend the schema. In the upgrade to 2003R2 the schema extension was made mandatory. That is you upgraded your domain controllers to 2003R2 and the rfc2307 schema extension was applied to your AD whether you liked it or not. Very useful as the biggest hurdle into getting rfc2307 working on an AD was often getting the AD admins to agree to the schema extension. Once it's there getting it populated was much easier. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On 01/10/13 11:07, Jonathan Buzzard wrote: A. On Sat, 2013-09-28 at 15:49 +0100, Rowland Penny wrote: [SNIP] If you do a google search for 'uidNumber' for instance, you will find this webpage: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680511%28v=vs.85%29.aspx This plainly shows that the earliest windows server that had 'uidNumber' was 2003R2 so as 'uidNumber' is in Samba4, samba4 function level should be 2003R2, but Samba4 seems to be using the 2008 schema (at least that is the only one that comes with samba 4) so should the function level be 2008? Wrong, the uidNumber etc. where available in Server 2003 (and Server 200 for that matter) however it was an *optional* schema extension. I know I was working somewhere at the time where the AD admins where like many AD admins very reluctant to extend the schema. In the upgrade to 2003R2 the schema extension was made mandatory. That is you upgraded your domain controllers to 2003R2 and the rfc2307 schema extension was applied to your AD whether you liked it or not. Very useful as the biggest hurdle into getting rfc2307 working on an AD was often getting the AD admins to agree to the schema extension. Once it's there getting it populated was much easier. JAB. Wrong, the first windows server that had 'uidNumber' as standard was 2003R2 . So, if it was first installed 'de-facto' in 2003R2 and Samba 4 has it as standard, then samba4 should be 'level 2003R2', but then again it seems to be using the 2008 schema (at least that is the earliest I can find in /usr/local/samba/share/setup/ Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On Tue, 2013-10-01 at 11:27 +0100, Rowland Penny wrote: [SNIP] Wrong, the first windows server that had 'uidNumber' as standard was 2003R2 . That is what I said. However there where lots of 2003 and even 2000 servers that had uidNumbers in their schema. What you cannot do is conclude because your AD has a uidNumber field that it is operating at 2003R2 or later. That is fundamentally flawed logic. So, if it was first installed 'de-facto' in 2003R2 and Samba 4 has it as standard, then samba4 should be 'level 2003R2', but then again it seems to be using the 2008 schema (at least that is the earliest I can find in /usr/local/samba/share/setup/ Like I said flawed logic, because plenty of 2003 and 2000 servers had uidNumbers in their schema. What is important is not what the schema is, but what on the wire protocol version that your AD controller is compatible with. I presume that if Samba4 is reporting it is a 2003 server it is because there was some extension of the AD controller protocol by Microsoft in 2003R2 that Samba4 does not support. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On 01/10/13 12:34, Jonathan Buzzard wrote: On Tue, 2013-10-01 at 11:27 +0100, Rowland Penny wrote: [SNIP] Wrong, the first windows server that had 'uidNumber' as standard was 2003R2 . That is what I said. However there where lots of 2003 and even 2000 servers that had uidNumbers in their schema. What you cannot do is conclude because your AD has a uidNumber field that it is operating at 2003R2 or later. That is fundamentally flawed logic. So, if it was first installed 'de-facto' in 2003R2 and Samba 4 has it as standard, then samba4 should be 'level 2003R2', but then again it seems to be using the 2008 schema (at least that is the earliest I can find in /usr/local/samba/share/setup/ Like I said flawed logic, because plenty of 2003 and 2000 servers had uidNumbers in their schema. What is important is not what the schema is, but what on the wire protocol version that your AD controller is compatible with. I presume that if Samba4 is reporting it is a 2003 server it is because there was some extension of the AD controller protocol by Microsoft in 2003R2 that Samba4 does not support. JAB. Here we go again, your logic is flawed, just because you personally know of lots of windows 2003 2000 servers that have 'uidNumbers' does not mean Samba 4 is level 2003. The 'uidNumber' did not become a fixed part of the windows schema until 2003R2, before that it had to be added, but 'uidNumber' is a fixture of Samba 4 therefore Samba4 cannot be level 2003 Also, if Samba 4 is level 2003, why does it ship with the 2008 2008R2 schemas and no sign of the 2003 schema? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On Tue, 2013-10-01 at 12:44 +0100, Rowland Penny wrote: [SNIP] Here we go again, your logic is flawed, just because you personally know of lots of windows 2003 2000 servers that have 'uidNumbers' does not mean Samba 4 is level 2003. No my logic is not flawed. You can *NEVER* determine the AD server level by looking at the schema. The 'uidNumber' did not become a fixed part of the windows schema until 2003R2, before that it had to be added, but 'uidNumber' is a fixture of Samba 4 therefore Samba4 cannot be level 2003 By that logic a Windows 2000 server with a uidNumber must really be 2003R2 server. Clearly that is not the case. Also, if Samba 4 is level 2003, why does it ship with the 2008 2008R2 schemas and no sign of the 2003 schema? Because it depends on the version of the wire level protocol that Samba4 supports and has nothing to do with the schema. That is, there is a set of MS-RPC calls that you need to support to be at level 2003R2 and presumably Samba4 does not support them all so it reports itself as a 2003 server. You could probably import a 2008 schema into a 2003 server, but it would not make it a 2008 server. Lets face it you can have an AD domain with a mixture of 2003 and 2003R2 servers in it, and clearly the 2003 servers are not 2003R2. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On 01/10/13 12:57, Jonathan Buzzard wrote: On Tue, 2013-10-01 at 12:44 +0100, Rowland Penny wrote: [SNIP] Here we go again, your logic is flawed, just because you personally know of lots of windows 2003 2000 servers that have 'uidNumbers' does not mean Samba 4 is level 2003. No my logic is not flawed. You can *NEVER* determine the AD server level by looking at the schema. The logic as you wrote it, was flawed, you basically said that even if the server had 'uidnumber' it wouldn't be 2003R2, at no point in your initial post did you mention rpc calls. I am trying to find out just what level samba 4 is, I think that it is not really 2003. It is not really helpful if you jump in with 'wrong' and then do not explain correctly. So, as you seem to know a bit about this, how do you find out what level a windows server is? Rowland The 'uidNumber' did not become a fixed part of the windows schema until 2003R2, before that it had to be added, but 'uidNumber' is a fixture of Samba 4 therefore Samba4 cannot be level 2003 By that logic a Windows 2000 server with a uidNumber must really be 2003R2 server. Clearly that is not the case. Also, if Samba 4 is level 2003, why does it ship with the 2008 2008R2 schemas and no sign of the 2003 schema? Because it depends on the version of the wire level protocol that Samba4 supports and has nothing to do with the schema. That is, there is a set of MS-RPC calls that you need to support to be at level 2003R2 and presumably Samba4 does not support them all so it reports itself as a 2003 server. You could probably import a 2008 schema into a 2003 server, but it would not make it a 2008 server. Lets face it you can have an AD domain with a mixture of 2003 and 2003R2 servers in it, and clearly the 2003 servers are not 2003R2. JAB. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On Sat, 2013-09-28 at 11:06 +1100, m...@electronico.nc wrote: Le 27/09/2013 20:36, steve a écrit : On Fri, 2013-09-27 at 19:09 +1100, m...@electronico.nc wrote: Hi all, (Trying to connect squid, postfix, dovecot, pptp, etc ... to AD) Samba 4.0.9, as PDC, on Ubuntu 12.04.3 server. Compiled with : ./configure --enable-debug --enable-selftest Domain provision : /usr/local/samba/bin/samba-tool domain provision Despite my reads and tries, I'm unable to list the AD users from Linux. /usr/local/samba/bin/wbinfo -t /usr/local/samba/bin/wbinfo -u /usr/local/samba/bin/wbinfo -g are OK but : getent passwd only lists Linux users. AD works OK and lot of work has been done onto. If the rfc2307 option if required during domain provision, can I launch it without loosing the whole AD configuration ? Hi No. You don't need to provision with rfc2307 to be able to use it. You simply need to add the rfc2307 attributes to the DN's of the users. e.g. use wbinfo to get the numbers: wbinfo -i steve2 HH3\steve2:*:321:20513::/home/HH3/steve2:/bin/false Now add: uidNumber: 321 gidNumber: 20513 to steve2 An easy way to do that is with ldbedit. If you have a lot of users, use a script and then add the attributes using ldbmodify. I'd recommend using nslcd or sssd so that getent will pull the information from AD. HTH Steve Thanks Denis and Steve for the answers. Without the rfc2307 domain provision, will I have to add manually uidNumber and guiNumber each time a new user is created from Windows Management Console ? If you want to use MMC then yes. But why not add new users and groups using samba-tool? With 4.1.0 rc's you can add the user along with all his rfc2307 from the command line. Thanks to : http://linuxcostablanca.blogspot.com/2013/04/sssd-build-on-opensuse.html http://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd I have been able to : getent passwd = But I have tried previousely to install sssd from repository, then from git ... I'll start over (thanks clonezilla ;-) ) and let you know. Nicolas If you want to run the AD backend with sssd, you'll need a minimum of version 1.10. If you're gonna build it, I'd recommend 1.11 which was released yesterday. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On 28/09/13 01:06, m...@electronico.nc wrote: Without the rfc2307 domain provision, will I have to add manually uidNumber and guiNumber each time a new user is created from Windows Management Console ? Even with RFC2307 domain provision, you will have to add the uidNumber gidNumber manually, as Steve says, you can do this with samba-tool, but YOU have to supply these numbers, they are not incremented automatically. You need to write a script around samba-tool and find somewhere to get the numbers from, you could create the user then get the number that samba4 allocates, then add this as the uidnumber with an ldif file. You could also use the script that Steve wrote and is, I believe, available on his blog. I personally use the ' rIDNextRID' attribute from 'cn=RID Set,cn=SERVERNAME,OU=Domain Controllers,DC=example,DC=com' Just add 1 to this and you have the value of the next RID that will be used when a user is created, you could then use this as the basis for your uidNumber. incidentally, you do not have to provision with '--use-rfc2307' to get the RFC2307 attributes, you do not even need the rfc2307 line in smb.conf on the server to use the rfc2307 attributes, as far as Unix is concerned, it seems to work without them. It probably will lead to problems elsewhere, but where I do not know and cannot advise not using the recommended way of provisioning. Just a thought, Because all the RFC2307 attributes are already in Samba4 AD, does this mean that we are actually running at domain level 2003 R2 ? and if so, shouldn't the documentation etc show this. Rowland Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On Sat, 2013-09-28 at 09:11 +0100, Rowland Penny wrote: Just a thought, Because all the RFC2307 attributes are already in Samba4 AD, does this mean that we are actually running at domain level 2003 R2 ? and if so, shouldn't the documentation etc show this. Hi Good question. I've always wondered about that. The output suggets that we are running at 2003: samba-tool domain level show Domain and forest function level for domain 'DC=hh3,DC=site' Forest function level: (Windows) 2003 Domain function level: (Windows) 2003 Lowest function level of a DC: (Windows) 2008 R2 Yet I'm old enough to remember that the 2003 server did not have the rfc2307 schema. It was introduced when sfu shipped as standard with 2003R2. Those joining Samba4 to a 2003 domain will NOT be able to use the 2307 attributes but those joining a 2003-R2 or above can [1]. If that's the case, then the output of the domain level show command is incorrect as we can and do use all the rfc2307 attributes. I can see that the 2008 R2 schema which ships with Samba4 also includes the attributes. [1] I wonder if the 2012 AD schema has rfc2307? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On 28/09/13 14:29, steve wrote: On Sat, 2013-09-28 at 09:11 +0100, Rowland Penny wrote: Just a thought, Because all the RFC2307 attributes are already in Samba4 AD, does this mean that we are actually running at domain level 2003 R2 ? and if so, shouldn't the documentation etc show this. Hi Good question. I've always wondered about that. The output suggets that we are running at 2003: samba-tool domain level show Domain and forest function level for domain 'DC=hh3,DC=site' Forest function level: (Windows) 2003 Domain function level: (Windows) 2003 Lowest function level of a DC: (Windows) 2008 R2 Yet I'm old enough to remember that the 2003 server did not have the rfc2307 schema. It was introduced when sfu shipped as standard with 2003R2. Those joining Samba4 to a 2003 domain will NOT be able to use the 2307 attributes but those joining a 2003-R2 or above can [1]. If that's the case, then the output of the domain level show command is incorrect as we can and do use all the rfc2307 attributes. I can see that the 2008 R2 schema which ships with Samba4 also includes the attributes. [1] I wonder if the 2012 AD schema has rfc2307? Cheers, Steve If you do a google search for 'uidNumber' for instance, you will find this webpage: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680511%28v=vs.85%29.aspx This plainly shows that the earliest windows server that had 'uidNumber' was 2003R2 so as 'uidNumber' is in Samba4, samba4 function level should be 2003R2, but Samba4 seems to be using the 2008 schema (at least that is the only one that comes with samba 4) so should the function level be 2008? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
Hello, Am 28.09.2013 10:11, schrieb Rowland Penny: Without the rfc2307 domain provision, will I have to add manually uidNumber and guiNumber each time a new user is created from Windows Management Console ? Even with RFC2307 domain provision, you will have to add the uidNumber gidNumber manually, as Steve says, you can do this with samba-tool, but YOU have to supply these numbers, they are not incremented automatically. If you use the MMC, the numbers are incremented automatically. You simply select the NIS domain in the Unix tab and it shows the last UID/GID + 1. So you don't have to track somewhere which was the last UID/GID you've set. Microsoft tracks this somewhere in the directory under System / RpcServices. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On 28/09/13 16:11, Marc Muehlfeld wrote: Hello, Am 28.09.2013 10:11, schrieb Rowland Penny: Without the rfc2307 domain provision, will I have to add manually uidNumber and guiNumber each time a new user is created from Windows Management Console ? Even with RFC2307 domain provision, you will have to add the uidNumber gidNumber manually, as Steve says, you can do this with samba-tool, but YOU have to supply these numbers, they are not incremented automatically. If you use the MMC, the numbers are incremented automatically. You simply select the NIS domain in the Unix tab and it shows the last UID/GID + 1. So you don't have to track somewhere which was the last UID/GID you've set. Microsoft tracks this somewhere in the directory under System / RpcServices. Regards, Marc Well, yes you are probably right, but as I have never used the MMC to add a Linux user, I did not know this, so thanks for the heads up. Having said that, I still think it would be quicker to add a user via a script on the Linux server. Do you know where exactly where Microsoft tracks the uidNumber? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On Sat, 2013-09-28 at 17:11 +0200, Marc Muehlfeld wrote: If you use the MMC, Hi. The op cannot use MMC. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On Sat, 2013-09-28 at 16:22 +0100, Rowland Penny wrote: On 28/09/13 16:11, Marc Muehlfeld wrote: Hello, Am 28.09.2013 10:11, schrieb Rowland Penny: Without the rfc2307 domain provision, will I have to add manually uidNumber and guiNumber each time a new user is created from Windows Management Console ? Even with RFC2307 domain provision, you will have to add the uidNumber gidNumber manually, as Steve says, you can do this with samba-tool, but YOU have to supply these numbers, they are not incremented automatically. If you use the MMC, the numbers are incremented automatically. You simply select the NIS domain in the Unix tab and it shows the last UID/GID + 1. So you don't have to track somewhere which was the last UID/GID you've set. Microsoft tracks this somewhere in the directory under System / RpcServices. Regards, Marc Well, yes you are probably right, but as I have never used the MMC to add a Linux user, I did not know this, so thanks for the heads up. Having said that, I still think it would be quicker to add a user via a script on the Linux server. Do you know where exactly where Microsoft tracks the uidNumber? Rowland Yeah, another good one. Samba4 provisioned without rfc2307 takes the next uid/gidNumber from the CN=CONFIG counter object in idmap.ldb, attribute: xidNumber If we set: idmap_ldb use:rfc2307 = Yes in smb.conf the counter does not update and is ignored. This entry is added if we provision with rfc2307 but it can be added to a provision without it whereupon it has the same effect. The counter stops. MMC introduces yet another way of guessing a uidNumber. I think the advice must be, choose one method and stick to it. They are not interchangeable. Rowlands RID script seems the most bulletproof to me. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
Hi all, (Trying to connect squid, postfix, dovecot, pptp, etc ... to AD) Samba 4.0.9, as PDC, on Ubuntu 12.04.3 server. Compiled with : ./configure --enable-debug --enable-selftest Domain provision : /usr/local/samba/bin/samba-tool domain provision Despite my reads and tries, I'm unable to list the AD users from Linux. /usr/local/samba/bin/wbinfo -t /usr/local/samba/bin/wbinfo -u /usr/local/samba/bin/wbinfo -g are OK but : getent passwd only lists Linux users. AD works OK and lot of work has been done onto. If the rfc2307 option if required during domain provision, can I launch it without loosing the whole AD configuration ? Thanks in advance for your time. Nicolas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
Hi Nicolas, (Trying to connect squid, postfix, dovecot, pptp, etc ... to AD) Samba 4.0.9, as PDC, on Ubuntu 12.04.3 server. Compiled with : ./configure --enable-debug --enable-selftest Domain provision : /usr/local/samba/bin/samba-tool domain provision Despite my reads and tries, I'm unable to list the AD users from Linux. /usr/local/samba/bin/wbinfo -t /usr/local/samba/bin/wbinfo -u /usr/local/samba/bin/wbinfo -g are OK but : getent passwd only lists Linux users. in order to have getent password to work, you need to have the correct nss module in the path. It is not in the default path when compiling. Please take a look at http://wiki.samba.org/index.php/Samba4/Winbind for a 32bit system, you can run : ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 However if you are not using rfc2307, you will have random idmap (no rid idmap yet). Cheers, Denis AD works OK and lot of work has been done onto. If the rfc2307 option if required during domain provision, can I launch it without loosing the whole AD configuration ? Thanks in advance for your time. Nicolas -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
On Fri, 2013-09-27 at 19:09 +1100, m...@electronico.nc wrote: Hi all, (Trying to connect squid, postfix, dovecot, pptp, etc ... to AD) Samba 4.0.9, as PDC, on Ubuntu 12.04.3 server. Compiled with : ./configure --enable-debug --enable-selftest Domain provision : /usr/local/samba/bin/samba-tool domain provision Despite my reads and tries, I'm unable to list the AD users from Linux. /usr/local/samba/bin/wbinfo -t /usr/local/samba/bin/wbinfo -u /usr/local/samba/bin/wbinfo -g are OK but : getent passwd only lists Linux users. AD works OK and lot of work has been done onto. If the rfc2307 option if required during domain provision, can I launch it without loosing the whole AD configuration ? Hi No. You don't need to provision with rfc2307 to be able to use it. You simply need to add the rfc2307 attributes to the DN's of the users. e.g. use wbinfo to get the numbers: wbinfo -i steve2 HH3\steve2:*:321:20513::/home/HH3/steve2:/bin/false Now add: uidNumber: 321 gidNumber: 20513 to steve2 An easy way to do that is with ldbedit. If you have a lot of users, use a script and then add the attributes using ldbmodify. I'd recommend using nslcd or sssd so that getent will pull the information from AD. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
Le 27/09/2013 20:36, steve a écrit : On Fri, 2013-09-27 at 19:09 +1100, m...@electronico.nc wrote: Hi all, (Trying to connect squid, postfix, dovecot, pptp, etc ... to AD) Samba 4.0.9, as PDC, on Ubuntu 12.04.3 server. Compiled with : ./configure --enable-debug --enable-selftest Domain provision : /usr/local/samba/bin/samba-tool domain provision Despite my reads and tries, I'm unable to list the AD users from Linux. /usr/local/samba/bin/wbinfo -t /usr/local/samba/bin/wbinfo -u /usr/local/samba/bin/wbinfo -g are OK but : getent passwd only lists Linux users. AD works OK and lot of work has been done onto. If the rfc2307 option if required during domain provision, can I launch it without loosing the whole AD configuration ? Hi No. You don't need to provision with rfc2307 to be able to use it. You simply need to add the rfc2307 attributes to the DN's of the users. e.g. use wbinfo to get the numbers: wbinfo -i steve2 HH3\steve2:*:321:20513::/home/HH3/steve2:/bin/false Now add: uidNumber: 321 gidNumber: 20513 to steve2 An easy way to do that is with ldbedit. If you have a lot of users, use a script and then add the attributes using ldbmodify. I'd recommend using nslcd or sssd so that getent will pull the information from AD. HTH Steve Thanks Denis and Steve for the answers. Without the rfc2307 domain provision, will I have to add manually uidNumber and guiNumber each time a new user is created from Windows Management Console ? Thanks to : http://linuxcostablanca.blogspot.com/2013/04/sssd-build-on-opensuse.html http://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd I have been able to : getent passwd But there were troubles with the Administrator roaming profile and syslog showing : Sep 28 10:59:52 serveur smbd[22769]: === Sep 28 10:59:52 serveur smbd[22769]: [2013/09/28 10:59:52.079802, 0] ../source3/lib/util.c:810(smb_panic_s3) Sep 28 10:59:52 serveur smbd[22769]: PANIC (pid 22769): internal error Sep 28 11:00:09 serveur smbd[22772]: [2013/09/28 11:00:09.610461, 0] ../lib/util/fault.c:72(fault_report) Sep 28 11:00:09 serveur smbd[22772]: === Sep 28 11:00:09 serveur smbd[22772]: [2013/09/28 11:00:09.610698, 0] ../lib/util/fault.c:73(fault_report) Sep 28 11:00:09 serveur smbd[22772]: INTERNAL ERROR: Signal 11 in pid 22772 (4.0.9) Sep 28 11:00:09 serveur smbd[22772]: Please read the Trouble-Shooting section of the Samba HOWTO Sep 28 11:00:09 serveur smbd[22772]: [2013/09/28 11:00:09.610913, 0] ../lib/util/fault.c:75(fault_report) Sep 28 11:00:09 serveur smbd[22772]: === But I have tried previousely to install sssd from repository, then from git ... I'll start over (thanks clonezilla ;-) ) and let you know. Nicolas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba