[Samba] samba 4 userid mapping

[Nick B]

Complete new user here.  Setting up my first samba configuration, using
samba 4.0.6 as a primary domain controller.  I have user profiles, network
shares, active directory, and domain controller working.  But I can not
understand how to map windows userid to linux userid (and map groupid as
well).  I am struggling because much of the documentation is outdated and
meant for samba 3.x or targetted for samba as a domain member.  I followed
some documentation to try the userid mapping through active directory, but
that required Microsoft services for Unix 3.5, which will not install on 64
versions of MS.  I find myself without any orientation of how to proceed.

I am suffering from documentation overload, much of it contradictory or not
applicable.  I am not even sure how to use winbind, or if that is required
for my situation.  I really need a simple step by step howto that is
specific to samba 4 as a PDC.  If you want to reference documentation,
great, but please reference specific sections instead of whole general
chapters.  Any help greatly appreciated.  Thank you.

Configuration information follows:

Server

OS:  OpenSuSE 12.1, 64 bit
Samba:  Samba 4.0.6
Configuration:  Primary domain controller with active directory support
Using BIND 9 DNS server


Client

OS:  Windows 7 Professional, 64 bit


Samba configuration file


# Global parameters

[global]

workgroup = MYDOMAIN

realm = MYDOMAIN.ORG

netbios name = SERVER

wins support = Yes

server role = active directory domain controller

server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate

encrypt passwords = yes

 # Setup user maps

idmap config * : backend = tdb

idmap config * : range = 10-19

idmap config MYDOMAIN : backend = ad

idmap config MYDOMAIN : schema_mode = rfc2307

idmap config MYDOMAIN : range = 5-9

winbind nss info = rfc2307

winbind trusted domains only = No

winbind use default domain = Yes

winbind enum users = Yes

winbind enum groups = Yes

# Logon path tells samba where to put Windows roaming profiles

logon path = \\%h\profiles\%u

  # Logon home is used to specify home directory and

# Windows 95/98/ME roaming profile location

logon home = \\%h\%u\.win_profiles

# Allow Samba to send correct time to windows

time server = Yes

# Set logging options

log file = /var/log/samba/log.odeon

# Shares configurations follows.  Not included for brevity . . .

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 userid mapping

[steve]

On Tue, 2013-07-09 at 18:22 -0700, Nick B wrote:

Hi
None of this works on a s4 DC
 
  # Setup user maps
 
 idmap config * : backend = tdb
 
 idmap config * : range = 10-19
 
 idmap config MYDOMAIN : backend = ad
 
 idmap config MYDOMAIN : schema_mode = rfc2307
 
 idmap config MYDOMAIN : range = 5-9
 
 winbind nss info = rfc2307
 
 winbind trusted domains only = No
 
 winbind use default domain = Yes
 
 winbind enum users = Yes
 
 winbind enum groups = Yes

replace it with this:
idmap_ldb use:rfc2307 = Yes

make the winbind links:
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln -s libnss_winbind.so /lib64/libnss_winbind.so.2

and the nss stuff in /etc/nsswitch.conf:
passwd:  files winbind
group:   files winbind

Now add the uidNumber and gidNumber attributes to the user or group DN
in AD. YOu can use ldbmodify or ldbedit for that. If you are brave, you
can build the master and use samba-tool add the attributes when you
create the user.

Note: if you want the whole of rfc2307 as your smb.conf suggests, then
use sssd and forget about winbind.

HTH
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba