Hi, I'm still having trouble getting Samba 3.6.3 / Winbind to fetch UIDs from AD 2008 R2 with the Services for Unix feature installed. My users have uidNumber fields which contain the UIDs I want. I'm on Ubuntu 12.04 The global part of my smb.conf. I've tried changing 'winbind nss info' and 'schema_mode' to sfu as well. security = ADS realm = CORP.mycompany.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 winbind refresh tickets = yes idmap config CORP : backend = ad idmap config CORP : schema_mode = rfc2307 #idmap config * : backend = tdb idmap config * : default = yes idmap config * : range = 900 - 99999 Each time I re-test, I delete the files: /var/run/samba/gencache*.tdb /var/cache/samba/winbindd_cache.tdb /var/lib/samba/winbindd_idmap.tdb My users always come back with an id in the range mapped above (900+), even though their IDs should actually be 1000+. When I run an ldapsearch query, I get back results for my users that include (as well as other fields): sAMAccountName: ross userPrincipalName: ross at corp.... lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,... uid: ross mail: ross at ... msSFU30Name: ross msSFU30NisDomain: corp uidNumber: 1006 gidNumber: 100 unixHomeDirectory: /home/ross loginShell: /bin/bash Any suggestions of things I can try are greatly appreciated. thanks! -Nick
On 14/07/12 17:50, Nick Triantos wrote:> Hi, > > I'm still having trouble getting Samba 3.6.3 / Winbind to fetch UIDs from AD 2008 R2 with the Services for Unix feature installed. My users have uidNumber fields which contain the UIDs I want. I'm on Ubuntu 12.04 > > The global part of my smb.conf. I've tried changing 'winbind nss info' and 'schema_mode' to sfu as well. > > security = ADS > realm = CORP.mycompany.COM > allow trusted domains = yes > winbind use default domain = yes > winbind nested groups = YES > winbind enum groups = yes > winbind enum users = yes > winbind nss info = rfc2307 > winbind refresh tickets = yes > idmap config CORP : backend = ad > idmap config CORP : schema_mode = rfc2307 > #idmap config * : backend = tdb > idmap config * : default = yes > idmap config * : range = 900 - 99999 >There is no range here for the ad backend. From what I have determined empirically is that you need to specify ranges for both that don't overlap. That said this is now covered in the manual page, but it is vitally important and it won't work properly without it. What I do is specify a small range really high up well out of the way of anything being allocated in the AD for the tdb backend. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom.
On 18/07/12 03:00, Rob Townley wrote:> Precisely what ldap attribute are you setting user id numbers in AD? You > may want to check. There are numerous attribute names that include uid and > gid, but you need the correct one. >Hi In AD we have: objectClass: posixAccount and uidNumber: xyz with /etc/nsswitch.conf conatining: passwd: compat ldap nss-ldapd (for example) pulls the uidNumber fine using: getent passwd Is that what we are talking about? Cheers, Steve