Hi!
How one enables RFC2307 attributes for users on a Samba AD-DC?
All the settings about this which works on a member server,
does not work on an DC:
[global]
netbios name = SVDCP
realm = PZ.CORPIT.RU
server role = active directory domain controller
workgroup = PZ
idmap_ldb:use rfc2307 = yes
winbind nss info = rfc2307
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
idmap config pz : unix_primary_group = yes
idmap config pz : schema_mode = rfc2307
idmap config pz : range = 1000-4999
idmap config pz : backend = ad
(these are one of the many parameters I tried, some of them might be
conflicting with each other - I tried different combinations with
similar results).
With this, on the DC, wbinfo -i <user> always shows template homedir,
template shell, and primary group=100. But on a member server, this
correctly shows homedir, shell and primary group stored in the AD.
Where it gets the gid=100 from, and how to configure it so it will
show the correct info?
Thanks!
/mjt
On 11/19/22 04:40, Michael Tokarev via samba wrote:> Hi! > > How one enables RFC2307 attributes for users on a Samba AD-DC? > All the settings about this which works on a member server, > does not work on an DC: > > [global] > ??????? netbios name = SVDCP > ??????? realm = PZ.CORPIT.RU > ??????? server role = active directory domain controller > ??????? workgroup = PZ > > ??????? idmap_ldb:use rfc2307 = yes > ??????? winbind nss info = rfc2307 > ??????? template homedir = /home/%U > ??????? template shell = /bin/bash > ??????? winbind use default domain = yes > > ??????? idmap config pz : unix_primary_group = yes > ??????? idmap config pz : schema_mode = rfc2307 > ??????? idmap config pz : range = 1000-4999 > ??????? idmap config pz : backend = ad > > > (these are one of the many parameters I tried, some of them might be > conflicting with each other - I tried different combinations with > similar results). > > With this, on the DC, wbinfo -i <user> always shows template homedir, > template shell, and primary group=100.? But on a member server, this > correctly shows homedir, shell and primary group stored in the AD. > > Where it gets the gid=100 from, and how to configure it so it will > show the correct info? > > Thanks! > > /mjt >Has to be passed at the time of the AD's Provision.
On 19/11/2022 09:40, Michael Tokarev via samba wrote:> Hi! > > How one enables RFC2307 attributes for users on a Samba AD-DC? > All the settings about this which works on a member server, > does not work on an DC: > > [global] > ??????? netbios name = SVDCP > ??????? realm = PZ.CORPIT.RU > ??????? server role = active directory domain controller > ??????? workgroup = PZ > > ??????? idmap_ldb:use rfc2307 = yes > ??????? winbind nss info = rfc2307 > ??????? template homedir = /home/%U > ??????? template shell = /bin/bash > ??????? winbind use default domain = yes > > ??????? idmap config pz : unix_primary_group = yes > ??????? idmap config pz : schema_mode = rfc2307 > ??????? idmap config pz : range = 1000-4999 > ??????? idmap config pz : backend = ad > > > (these are one of the many parameters I tried, some of them might be > conflicting with each other - I tried different combinations with > similar results). > > With this, on the DC, wbinfo -i <user> always shows template homedir, > template shell, and primary group=100.? But on a member server, this > correctly shows homedir, shell and primary group stored in the AD. > > Where it gets the gid=100 from, and how to configure it so it will > show the correct info? > > Thanks! > > /mjt >The only rfc2307 attributes that you can use on a Samba AD DC are the uidNumber and gidNumber attributes, all others are ignored. Even they are ignored unless you have 'idmap_ldb:use rfc2307 = yes' set. The gid '100' is coming from idmap.ldb and shows that you haven't given Domain Users a gidNumber. You might as well remove most of what you have added, they do not work on a DC, the exception being the 'template' lines. Rowland