Bug 11533 - Winbind options to be able to use rfc2307 attributes
Winbind options to be able to use rfc2307 attributes
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
All All
: P5 enhancement
: ---
Assigned To: Samba QA Contact
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2015-09-28 09:43 UTC by mathias.dufresne
Modified: 2015-09-29 02:01 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description mathias.dufresne 2015-09-28 09:43:55 UTC
Winbind is not able to use rfc2307 attributes to forge users information on system side.

If we fill rfc2307 attributes such as uidNumber, gidNumber or homeDirectory we generally want to be able to use them on (linux) system side. Some configuration file should be added to give us possibility to use them.

On some DC I use winbind to retrieve users from AD:
DC:~# grep winbind /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind

When checking some user using "id" linux command I get:
DC:~# id some.user
uid=10321(DOMAIN1.AD\some.user) gid=100(users) groupes=100(users),3000031(DOMAIN1.AD\cid 018),3000009(BUILTIN\users)

And user line is:
DC:~# getent passwd some.user
DOMAIN1.AD\some.user:*:10321:100:some user:/home/DOMAIN1.AD/some.user:/bin/false

Login = sAMAccountName
UID = uidNumber
GID = some forged GID corresponding to "Domain Users" (I expect)
Gecos = displayName
homeDir = something forged using short domain name + sAMAccountName
shell = /bin/false

When in AD rfc2307 attributes are:
uidNumber: 10321
gidNumber: 8321 (this group does not exist)
gecos: not filled
loginShell: /bin/bash
homeDirectory: /home/some.user

For some reason (orders coming from bosses most generally) default options chosen by Samba team for winbind behaviour could not suit our needs. Having some configuration file somewhere to modify that behaviour would be great.


Comment 1 Guenther Deschner 2015-09-28 18:24:07 UTC
Hi, sorry but there is no bug here. RFC2307 support is well documented in many locations, e.g. here: 


See also manpages idmap_ad(8) and idmap_rfc2307(8).