On 12/08/12 15:26, Gémes Géza wrote:
Hi,
Hi all,
I'm still struggling with getting samba 3.6 to use the uids and gids
from my Active Directory 2008 R2 setup. I can see the users, I just
can't get their UIDs mapped onto my linux machine.
I've configured AD to use it's "services for unix" feature, and
through that, I got a "Unix Attributes" tab where I could enter fields
like uid, home dir, shell, and primary GID.
My few questions:
1. Am I supposed to configure Samba to use rfc2307, or sfu?
2. As you can see in my config, below, I've configured an idmap range
for the AD domain. It seems to be ignored, and instead, my users get
placed in the wildcard domain's idmap range.
3. I found some advice (don't remember where) to try to delete these
files when I change this part of my config:
/var/run/samba/gencache*
/var/cache/samba/winbindd_cache.tdb
/var/lib/samba/winbindd_idmap.tdb
Any thoughts about the need/value to delete these temp files is
appreciated.
4. Finally, does anyone have suggestions of other things I can try?
thanks very much.
best,
-Nick
According to man idmap_ad you should have a generic idmap backend line
as well, like:
idmap backend = tdb
idmap uid range = some uninteresting range
idmap gid range = some uninteresting range
S3.6 complains about deprecation here and only accepts the gid range.
I've wrote uninteresting range, because you should specify a range you
haven't placed you users via ADUC
[global] (from my smb.conf)
workgroup = CORP
server string = %h server (Samba, Ubuntu)
security = ADS
realm = CORP.xxx.COM
allow trusted domains = yes
winbind use default domain = yes
winbind nested groups = YES
winbind nested groups = YES
winbind enum groups = yes
winbind enum users = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
idmap config CORP : backend = ad
idmap config CORP : schema_mode = rfc2307
#idmap config CORP : range = 1000 - 99999
idmap config * : default = yes
#idmap config * : backend = tdb
#idmap config * : range = 100000 - 199999
idmap config * : range = 900 - 1999
encrypt passwords = true
obey pam restrictions = yes
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = true
restrict anonymous = 2
When I perform an ldapsearch against my server, I see these
attributes, among others:
msSFU30Name: nick
msSFU30NisDomain: corp
uidNumber: 1001
gidNumber: 1000
unixHomeDirectory: /home/nick
loginShell: /bin/bash
Regards
Geza
Hi
Here is a 3.6.3 config that works against Samba4 AD. There is no need
for m$ sfu. 2008 R2 and Samba4 both allow full rfc2307 out of the box:
[global]
realm = polop.site
workgroup = ALTEA
security = ADS
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-4000
idmap config ALTEA:backend = ad
idmap config ALTEA:range = 20000-40000000
idmap config ALTEA:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
#winbind use default domain = Yes
HTH
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
