On Sun, 2012-12-16 at 16:51 -0500, Thomas Simmons wrote: > Hello Andrew, > > > If functionality is not there, I certainly understand and can work > around it. I just want to make sure I am not misunderstanding > something. > > > When you say I should set "idmap_ldb:use rfc2307=yes" in smb.conf on > the DC, do you mean that by doing so I can use winbind (and the > rfc2307 attributes) for *nix authentication on the DC? I am confused > because I already have "idmap_ldb:use rfc2307 = yes" in my smb.conf > (it gets added automatically with the classicupgrade and I always > provision my "clean" test setup with "--use-rfc2307"). That actually > works fine - the rfc2307 attributes are there and I can modify them in > ADUC. If I configure the server to use NSS+LDAP for authentication, my > users's uid number, gid number, shell, etc are what I have specified > in ADUC. When I try using winbind, it is not using the rfc2307 > information from AD.
That's odd, but remember that only the UID and GID values will be used (not the shell or homedir, which is handled in a different bit of the code). However, your output below clearly shows that isn't happening :-( > > Here I have NSS+LDAP configured and getent reports the correct uidNumber > > and gidNumber that I have specified in AD (rfc2307 attributes): > > > > root@ALW1:~# getent passwd | grep tuser > > tuser1:*:10005:10000:Test User1:/home/tuser1:/bin/sh > > tuser2:*:10006:10000:Test User2:/home/tuser2:/bin/sh > > tuser3:*:10007:10000:Test User3:/home/tuser3:/bin/sh > > > > Here (DC) I am using winbind for authentication, and getent does not report > > the correct uidNumber and gidNumber: > > > > [root@ADC1 ~]# getent passwd | grep tuser > > TESTDOM\tuser1:*:3000025:100:Test User1:/home/tuser1:/bin/sh > > TESTDOM\tuser2:*:3000026:100:Test User2:/home/tuser2:/bin/sh > > TESTDOM\tuser3:*:3000027:100:Test User3:/home/tuser3:/bin/sh > As a test, can you set 'acl:search=false' and see if it makes a difference? > Initially, "idmap_ldb:use rfc2307 = yes" was the only idmap related > entry in my smb.conf. When that did not work I tried a bunch of other > "idmap config DOMAIN" settings. The code that handles that isn't hooked up yet. I'm hoping someone will take this on for 4.1. > Again, if this simply does not work at this time, I can use NSS and > LDAP for logins on my DCs. With my S3 setup, I've always used LDAP for > auth on *nix systems and am not terribly familiar with winbind, so I > just want to make sure I'm not missing something. My next test will be > setting up a member server. Can you tell me what entries I will need > in my smb.conf to have winbind use the rfc2307 information from my S4 > DC on member servers? I don't recall the exact settings right now, but for member servers it is the same as for a Windows AD domain (yes, I think this should be more automatic). In terms of using nss_ldap on the DC, the only concern I have is that the [homes] share might not work if you do that. Our DC code mostly avoids calling into nss, but that particular area does do it, and really does expect that nss_winbind is being used. For that reason, we generally suggest separation between the DC and other roles as the best way out of this situation. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba