Bug 14122 - winbind nss info sfu / rfc2307 not working as documeted
Summary: winbind nss info sfu / rfc2307 not working as documeted
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.10.8
Hardware: All All
: P5 normal (vote)
Target Milestone: 4.10
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-11 08:52 UTC by Björn Jacke
Modified: 2020-01-15 09:14 UTC (History)
0 users

See Also:


Attachments
patch for 4.11 (2.01 KB, patch)
2020-01-14 08:11 UTC, Karolin Seeger
kseeger: review+
Details
patch for 4.10 (2.01 KB, patch)
2020-01-14 08:12 UTC, Karolin Seeger
kseeger: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2019-09-11 08:52:25 UTC
according to our smb.conf man page on "winbind nss info":

--snip-
This parameter is designed to control how Winbind retrieves Name Service information to construct a user's home directory and login shell. Currently the following settings are available:

·   template - The default, using the parameters of template shell and template homedir)

·   <sfu | sfu20 | rfc2307 > - When Samba is running in security = ads and your Active Directory Domain Controller does support the Microsoft "Services for Unix" (SFU) LDAP schema, winbind can retrieve the login shell and the home directory attributes directly from your Directory Server. For SFU 3.0 or 3.5 simply choose "sfu", if you use SFU 2.0 please choose "sfu20". Note that retrieving UID and GID from your ADS-Server requires to use idmap config DOMAIN:backend = ad as well. The primary group membership is currently always calculated via the "primaryGroupID" LDAP attribute.
--snap--

Setting winbind nss info on a security=ads member server (with idmap backend ad for the domain) to sfu or rfc2307 however not even the home directory or login shell is retrieved from LDAP. Currently you NEED to set "use idmap config DOMAIN:backend = ad" if you want to get the the unixHomeDirectory or loginShell attributes evaluated. In that case also the value of winbind nss info is completely ignored.
Comment 1 Louis 2019-09-11 13:29:04 UTC
hm,,  Björn 

im trying to check this but i dont get what your saying..
It looks like your trying an not supported settings. 

i would have expected this in the man smb.conf

       winbind nss info (G)  predicated
       As of samba 4.6+ replaced by ... 

At least that what it says here.
https://wiki.samba.org/index.php/Idmap_config_ad 


.. .. ahh.. now i get it.. man smb.conf is showing incorrect info and needs an update.
Comment 2 Björn Jacke 2020-01-08 21:56:14 UTC
fixed in master with 55fbd4c05b477e95920b53b94eda2572e075e6e1, This does also cleanly cherry-pick to 4.10 and 4.11, Karo, can you add the fix to those branches, please?
Comment 3 Karolin Seeger 2020-01-14 08:11:22 UTC
Created attachment 15727 [details]
patch for 4.11
Comment 4 Karolin Seeger 2020-01-14 08:12:50 UTC
Created attachment 15728 [details]
patch for 4.10
Comment 5 Karolin Seeger 2020-01-14 08:14:13 UTC
Pushed to autobuild-v4-{11,10}-test.
Comment 6 Karolin Seeger 2020-01-15 09:14:25 UTC
(In reply to Karolin Seeger from comment #5)
Pushed to both branches.
Closing out bug report.

Thanks!