Re: [Samba] [samba] Member server winbind issue
- Date: Sun, 23 Jul 2017 14:13:52 +0200
- From: mathias dufresne via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] [samba] Member server winbind issue
2017-07-23 13:47 GMT+02:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:
> On Sun, 23 Jul 2017 13:33:05 +0200
> mathias dufresne <infractory@xxxxxxxxx> wrote:
> > Samba is 4.5.8+dfsg-2+deb9u1+b1 (it's a debian).
> Then you need to use the 'old' way of setting up 'idmap config'
> winbind nss info = rfc2307
winbind nss info = rfc2307
> idmap config * : backend = tdb
idmap config * : backend = tdb
> idmap config * : range = 3000-7999
idmap config * : range = 3000-7999
> idmap config SAMDOM : backend = ad
idmap config AD:backend = ad
> idmap config SAMDOM : schema_mode = rfc2307
idmap config AD:schema_mode = rfc2307
> idmap config SAMDOM : range = 10000-999999
idmap config AD:range = 8000-99999999
I see two differences: ranges and spaces around ":" but I don't expect
these spaces are mandatory.
> You can change the ranges if required, but all normal users and groups
> MUST have a uidNumber or gidNumber attribute containing a number inside
> the DOMAIN range you choose.
Both group and user have uidNumber and gidNumber declared in AD, inside the
range defined by "idmap config AD:range = 8000-99999999"
> You MUST also give 'Domain Users' a gidNumber inside the same range.
dc02:~# ldbsearch -H $sam cn="domain users" dn objectclass gidNumber
# record 1
dn: CN=Domain Users,CN=Users,DC=ad,DC=domain,DC=tld
So, here again, it seems to to be OK.
And I'm still completely puzzled.
DC are 4.6.5, I'll try to upgrade Samba client to some 4.6 too. I don't
really expect this to change anything.
DC were provisioned without RFC2307. I set it up yesterday using
So I've added the following line in DCs smb.conf:
idmap_ldb:use rfc2307 = yes
after I followed "Installing the NIS Extensions" paragraph (with mainly
After these changes by DC side I was able to manage Unix attributes with
ADUC from some Windows client, which seems to mean the changes were correct.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the