Andreas Ladanyi wrote:
Hay Jerry,
Gerald (Jerry) Carter schrieb:
Andreas Ladanyi wrote:
Ok ! Could it be true this behavior is different between
"security=domain" and "security=ads" ?
Because we had to put the user to the group:
- first on windows side in ActiveFirectory
- second on unix site in AD in the tab "Members of"
so winbind 3.0.24 client recognise the group membership on unix side
in "security=domain" mode.
Now we changed to Samba 3.0.31 with security=ads mode and the
behavior is a bit different.
You lost me here. Maybe due to the fact that I accustomed
to the Windows 2003 R2 Unix Attribute tab. The only member
of tab I see is to control the Windows group memberships.
The reason of my message is a litte confusion:
In general you are right ;-)
Good thing too, because he's one of the primary samba developers =-O
There is one "UNIX attribute" tab and one "Members Of" tab.
During some tests we discover the following facts
=================================================
In "UNIX attribute" tab:
========================
winbind is only interested in the UID field ->
in ldap tree the attribute "uidnumber".
If you're talking SFU, it doesn't use uidnumber. It uses attribute
msSFU30UidNumber and displays UID on the Unix Attributes tab.
I don't have a Windows 2003 R2 for comparison. Are you really using SFU
(Services For Unix 3.0) or do you have the newer 2003 R2?
The other attributes from "UNIX attribute" tab are written to ldap
tree, but not used by winbind on linux side.
For example we set the following parameter in smb.conf:
winbind nss info = sfu
Of course we could define our own template bash/home with the
"template home" and "template shell" parameter, but its better the
"sfu" will work, so we would configure this parameter by the tab.
Winbind only uses this parameter when it creates a Unix account. Which
shouldn't happen for your AD domain members if your AD is mapped correctly.
The "primary Group" is written to the ldap tree but not used by
winbind on the unix side.
# net ads testjoin
Join is OK
# wbinfo -i forest\\jdoe
FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
# getent passwd|grep jdoe
FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
# getent group|grep 100
FOREST\domain users:x:100:
You can set the value msSFU30Gecos and winbind will report it, otherwise
"Display Name" is used.
In "Members Of" tab:
====================
In this tab you can choose a group from a list and there is a button
you could set a Unix primary group by klicking. This will be read by
winbind only. But this have no force to the primary group ID on the
"UNIX attribute" tab.
What do you say ? Did we configure something wrong ? Is this the
normal function ?
I needed to use the "idmap config" values:
idmap domains = FOREST
idmap config FOREST:readonly = yes
idmap config FOREST:backend = ad
idmap config FOREST:range = 0 - 29999
idmap config FOREST:schema_mode = sfu
idmap alloc backend = tdb
idmap alloc config:range = 50000-50999
and of course in nsswitch.conf:
passwd: compat winbind
group: compat winbind
some people like to use "files" instead of "compat", but that's about
NIS semantics and doesn't matter to winbind.
Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
