samba - Oct 2009 - AD Integration woes - rfc2307 data not being honored

Red Hat Enterprise Linux Server release 5.2 (Tikanga) - x86_64
Samba - 3.0.28-0.el5.8

Objective: To have samba authenticate against AD and utilize the values set for
the AD rfc2307 schema.
Problem: Values stored in AD are not being used.

The samba server has successfully joined the AD, but when I do a getent passwd |
grep <user> the uid, none of the values returned match what is stored in
AD.? The UidNumber for my account in AD is 20045, but I keep getting 1000195.?
I'm not so worried about the unixHomeDirectory or loginShell, it would be
nice to get them, but the UID is a must.

TESTDOMAIN+username:*:1000195:1000000:User
Info:/home/TESTDOMAIN/username:/bin/bash

Everytime I make any changes to the config, I always clean up and rejoin the
domain:

rm -f /var/log/samba/*.tdb && rm -f /etc/samba/*tdb && rm -f
/var/cache/samba/* && rm -f /var/log/samba/*
service smb restart && service winbind restart

Any help would be greatly appreciated.

Here is my smb.conf

[global]
??????? workgroup = TESTDOMAIN
??????? realm = TESTDOMAIN.NET
??????? server string = Samba file and print server
??????? security = ADS
??????? log level = 3
??????? log file = /var/log/samba/%m
??????? max log size = 200
??????? printcap name = cups
??????? preferred master = No
??????? idmap backend = tdb
??????? idmap cache time = 1800
??????? idmap uid = 1000000-1999999
??????? idmap gid = 1000000-1999999
??????? template shell = /bin/bash
??????? winbind separator = +
??????? winbind enum users = Yes
??????? winbind enum groups = Yes
??????? winbind nss info = rfc2307, template
??????? winbind refresh tickets = Yes
??????? idmap config TESTDOMAIN:cache time = 1800
??????? idmap config TESTDOMAIN:range = 1000-999999
??????? idmap config TESTDOMAIN:backend = ad
??????? idmap config TESTDOMAIN:schema_mode = rfc2307
[homes]
??????? comment = Home Directories
??????? valid users = %S
??????? read only = No
??????? browseable = No
[printers]
??????? comment = All Printers
??????? guest ok = Yes
??????? printable = Yes
??????? browseable = No
??????? available = No

Hi Matthew,

I'm trying to achieve the same goal. As I was not aware of the fact that 
  I can configure winbind (idmap?) to use the rfc2307 schema I took an 
other approach:

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#idmaprfc2307

Here I get all values (UID, GID and group members mangaged in AD) ... 
downside is that I still have some issues that I get a strange error 
when accessing a share other than /tmp .... with an own compiled (and 
modified) samba the setup is working.

Do you have any reference from where you got these settings? I would 
like to try to rebuild it in my env to see if I have the same issues....

thanks,
Andreas

Matthew J. Salerno wrote:
> Red Hat Enterprise Linux Server release 5.2 (Tikanga) - x86_64
> Samba - 3.0.28-0.el5.8
> 
> Objective: To have samba authenticate against AD and utilize the values set
for the AD rfc2307 schema.
> Problem: Values stored in AD are not being used.
> 
> The samba server has successfully joined the AD, but when I do a getent
passwd | grep <user> the uid, none of the values returned match what is
stored in AD.  The UidNumber for my account in AD is 20045, but I keep getting
1000195.  I'm not so worried about the unixHomeDirectory or loginShell, it
would be nice to get them, but the UID is a must.
> 
> TESTDOMAIN+username:*:1000195:1000000:User
Info:/home/TESTDOMAIN/username:/bin/bash
> 
> Everytime I make any changes to the config, I always clean up and rejoin
the domain:
> 
> rm -f /var/log/samba/*.tdb && rm -f /etc/samba/*tdb && rm
-f /var/cache/samba/* && rm -f /var/log/samba/*
> service smb restart && service winbind restart
> 
> Any help would be greatly appreciated.
> 
> Here is my smb.conf
> 
> [global]
>         workgroup = TESTDOMAIN
>         realm = TESTDOMAIN.NET
>         server string = Samba file and print server
>         security = ADS
>         log level = 3
>         log file = /var/log/samba/%m
>         max log size = 200
>         printcap name = cups
>         preferred master = No
>         idmap backend = tdb
>         idmap cache time = 1800
>         idmap uid = 1000000-1999999
>         idmap gid = 1000000-1999999
>         template shell = /bin/bash
>         winbind separator = +
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind nss info = rfc2307, template
>         winbind refresh tickets = Yes
>         idmap config TESTDOMAIN:cache time = 1800
>         idmap config TESTDOMAIN:range = 1000-999999
>         idmap config TESTDOMAIN:backend = ad
>         idmap config TESTDOMAIN:schema_mode = rfc2307
> [homes]
>         comment = Home Directories
>         valid users = %S
>         read only = No
>         browseable = No
> [printers]
>         comment = All Printers
>         guest ok = Yes
>         printable = Yes
>         browseable = No
>         available = No
> 
> 
>

Hi,
which AD (exact version) are you using 2003 (without R2?) Did you try 
different AD versions?
Did you install SFU3.5?

there are a couple of differences in the schema and I don't know how to 
configure winbind in regards to the mapping of attributes (like in 
nss_ldap or ldapux)

Matthew J. Salerno wrote:
> Red Hat Enterprise Linux Server release 5.2 (Tikanga) - x86_64
> Samba - 3.0.28-0.el5.8
> 
> Objective: To have samba authenticate against AD and utilize the values set
for the AD rfc2307 schema.
> Problem: Values stored in AD are not being used.
> 
> The samba server has successfully joined the AD, but when I do a getent
passwd | grep <user> the uid, none of the values returned match what is
stored in AD.  The UidNumber for my account in AD is 20045, but I keep getting
1000195.  I'm not so worried about the unixHomeDirectory or loginShell, it
would be nice to get them, but the UID is a must.
> 
> TESTDOMAIN+username:*:1000195:1000000:User
Info:/home/TESTDOMAIN/username:/bin/bash
> 
> Everytime I make any changes to the config, I always clean up and rejoin
the domain:
> 
> rm -f /var/log/samba/*.tdb && rm -f /etc/samba/*tdb && rm
-f /var/cache/samba/* && rm -f /var/log/samba/*
> service smb restart && service winbind restart
> 
> Any help would be greatly appreciated.
> 
> Here is my smb.conf
> 
> [global]
>         workgroup = TESTDOMAIN
>         realm = TESTDOMAIN.NET
>         server string = Samba file and print server
>         security = ADS
>         log level = 3
>         log file = /var/log/samba/%m
>         max log size = 200
>         printcap name = cups
>         preferred master = No
>         idmap backend = tdb
>         idmap cache time = 1800
>         idmap uid = 1000000-1999999
>         idmap gid = 1000000-1999999
>         template shell = /bin/bash
>         winbind separator = +
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind nss info = rfc2307, template
>         winbind refresh tickets = Yes
>         idmap config TESTDOMAIN:cache time = 1800
>         idmap config TESTDOMAIN:range = 1000-999999
>         idmap config TESTDOMAIN:backend = ad
>         idmap config TESTDOMAIN:schema_mode = rfc2307
> [homes]
>         comment = Home Directories
>         valid users = %S
>         read only = No
>         browseable = No
> [printers]
>         comment = All Printers
>         guest ok = Yes
>         printable = Yes
>         browseable = No
>         available = No
> 
> 
>       
-- 
Andreas Zickner
Gotenstr. 2 - 71065 Sindelfingen - andreas at zickner.de - 015771968553
=Es ist ein Unterschied ob man seinen Weg kennt ...
  ... oder ob man ihn beschreitet