Bug 1759 - Samba and SFU
Summary: Samba and SFU
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.7
Hardware: All All
: P3 enhancement
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2004-09-14 11:32 UTC by Thomas Mullaly
Modified: 2005-07-04 04:36 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Mullaly 2004-09-14 11:32:44 UTC
Hi this is a feature request, 

I was wondering if you could add support for Microsoft's SFU schema changes.  

I'm running smaba in ADS mode.  It works great, you've done a wonderfull job, 
but there's one more thing I need.  I am looking for a way to keep the UID's 
and GID's the same on every samba machine.  I tried using the LDAP write back 
way (using an OU called IDmap) but it hasn't worked for me.  I'm running 
Active Directory 2003.  

Anyway, my point is that it would be nice if their were a config entry that I 
could add to smb.conf that I could specifiy where the uid and gid come from.  
Being that when I installed Microsoft's Services for Unix, it made the schema 
changes to include uid, gid, home directory, and shell.  Since my users 
already have the schema entries needed, I wish I could just tell winbind to 
look for a specific attribute in in the schema.

Is this something you would consider including?
Comment 1 Buchan Milne 2004-09-29 00:08:21 UTC
1)idmap_ldap works (at least against openldap). Since the most common reason for
wanting to have consistent uid's/gid's between winbind machines is the use of
NFS, setting up openldap for idmap should not be excessive ....

2)If you have SFU, you can do authentication to AD without winbind (assuming
your current winbind clients are not serving files or printers to windows
clients), using Kerberos and LDAP.

3)PADL has a plugin which apparently does what you want, you can find it in
xad_oss_plugins on http://www.padl.com/download/
Comment 2 Thomas Mullaly 2004-09-29 07:30:56 UTC
I'll take that as a "NO"

Comment 3 Guenther Deschner 2004-09-29 08:13:38 UTC
Dont be disappointed too fast :)

I have an (yet unfinished patch) that makes some changes to PADL's
idmap_ad-Plugin and integrates SFU-Accounts better into the
winbindd-architecture (honoring homepath, uidNumbers, etc.).

Once I'll finish it...
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-02-17 09:42:48 UTC
guether's pet project :-)  CLosing out as later.
Comment 5 Guenther Deschner 2005-07-04 04:36:13 UTC
Fixed in latest subversion.

Could you please try "winbind enable sfu = yes" 
to let winbindd in "security = ads" retrieve homedir and loginshell from ADS.

(Note that the parameter name will change in the next release, so watch the

If you also want to retrieve uid and gid from ADS then use 
"idmap backend = ad" in addition.

Please let us know if that works for you