samba - Aug 2012 - RFC2307, AD, and Samba 3.6

Hi all,

I'm still struggling with getting samba 3.6 to use the uids and gids from my
Active Directory 2008 R2 setup. I can see the users, I just can't get their
UIDs mapped onto my linux machine.

I've configured AD to use it's "services for unix" feature,
and through that, I got a "Unix Attributes" tab where I could enter
fields like uid, home dir, shell, and primary GID.

My few questions:

1. Am I supposed to configure Samba to use rfc2307, or sfu?
2. As you can see in my config, below, I've configured an idmap range for
the AD domain. It seems to be ignored, and instead, my users get placed in the
wildcard domain's idmap range.
3. I found some advice (don't remember where) to try to delete these files
when I change this part of my config:
	/var/run/samba/gencache*
	/var/cache/samba/winbindd_cache.tdb
	/var/lib/samba/winbindd_idmap.tdb
    Any thoughts about the need/value to delete these temp files is appreciated.
4. Finally, does anyone have suggestions of other things I can try?

thanks very much.

best,
-Nick

[global]   (from my smb.conf)
   workgroup = CORP
   server string = %h server (Samba, Ubuntu)

   security = ADS
   realm = CORP.xxx.COM
   allow trusted domains = yes
   winbind use default domain = yes
   winbind nested groups = YES
   winbind nested groups = YES
   winbind enum groups = yes
   winbind enum users = yes
   winbind nss info = rfc2307
   winbind refresh tickets = yes
   idmap config CORP : backend = ad
   idmap config CORP : schema_mode = rfc2307
   #idmap config CORP : range = 1000 - 99999
   idmap config * : default = yes
   #idmap config * : backend = tdb
   #idmap config * : range = 100000 - 199999
   idmap config * : range = 900 - 1999

   encrypt passwords = true

   obey pam restrictions = yes
   client use spnego = yes
   client ntlmv2 auth = yes
   encrypt passwords = true
   restrict anonymous = 2

When I perform an ldapsearch against my server, I see these attributes, among
others:

msSFU30Name: nick
msSFU30NisDomain: corp
uidNumber: 1001
gidNumber: 1000
unixHomeDirectory: /home/nick
loginShell: /bin/bash

Hi,
> Hi all,
>
> I'm still struggling with getting samba 3.6 to use the uids and gids
from my Active Directory 2008 R2 setup. I can see the users, I just can't
get their UIDs mapped onto my linux machine.
>
> I've configured AD to use it's "services for unix"
feature, and through that, I got a "Unix Attributes" tab where I could
enter fields like uid, home dir, shell, and primary GID.
>
> My few questions:
>
> 1. Am I supposed to configure Samba to use rfc2307, or sfu?
> 2. As you can see in my config, below, I've configured an idmap range
for the AD domain. It seems to be ignored, and instead, my users get placed in
the wildcard domain's idmap range.
> 3. I found some advice (don't remember where) to try to delete these
files when I change this part of my config:
> 	/var/run/samba/gencache*
> 	/var/cache/samba/winbindd_cache.tdb
> 	/var/lib/samba/winbindd_idmap.tdb
>      Any thoughts about the need/value to delete these temp files is
appreciated.
> 4. Finally, does anyone have suggestions of other things I can try?
>
> thanks very much.
>
> best,
> -Nick
According to man idmap_ad you should have a generic idmap backend line 
as well, like:

idmap backend = tdb
idmap uid range = some uninteresting range
idmap gid range = some uninteresting range

I've wrote uninteresting range, because you should specify a range you 
haven't placed you users via ADUC
> [global]   (from my smb.conf)
>     workgroup = CORP
>     server string = %h server (Samba, Ubuntu)
>
>     security = ADS
>     realm = CORP.xxx.COM
>     allow trusted domains = yes
>     winbind use default domain = yes
>     winbind nested groups = YES
>     winbind nested groups = YES
>     winbind enum groups = yes
>     winbind enum users = yes
>     winbind nss info = rfc2307
>     winbind refresh tickets = yes
>     idmap config CORP : backend = ad
>     idmap config CORP : schema_mode = rfc2307
>     #idmap config CORP : range = 1000 - 99999
>     idmap config * : default = yes
>     #idmap config * : backend = tdb
>     #idmap config * : range = 100000 - 199999
>     idmap config * : range = 900 - 1999
>
>     encrypt passwords = true
>
>     obey pam restrictions = yes
>     client use spnego = yes
>     client ntlmv2 auth = yes
>     encrypt passwords = true
>     restrict anonymous = 2
>
> When I perform an ldapsearch against my server, I see these attributes,
among others:
>
> msSFU30Name: nick
> msSFU30NisDomain: corp
> uidNumber: 1001
> gidNumber: 1000
> unixHomeDirectory: /home/nick
> loginShell: /bin/bash
>
Regards

Geza