How to confiugre SAMBA/WINBIND without enabling "Unix Attributes" on Active Directory ?
Environment
- Red Hat Enterprise Linux 6.6
Issue
How to configure SAMBA/WINBIND without enabling "Unix Attributes" on Active Directory ?
Since customer did not want to enable "Unix Attributes" on Active Directory due to the fact that IMU on Active Directrory being deprecated.
Customer also has two trusted domains called : "example.com" and "test.com" within the same forest.
Resolution
For this to achieve we used idmap_rid algorithm.
Managed to get get things working with the following smb.conf
~~~
workgroup = EXAMPLE
password server = AD.EXAMPLE.COM
realm = EXAMPLE.COM
security = ads
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = false
winbind offline logon = true
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
idmap backend = tdb
idmap uid = 1000-100000000
idmap gid = 1000-100000000
idmap config EXAMPLE: backend = rid
idmap config EXAMPLE: range = 1000-100000000
idmap config TEST: backend = rid
idmap config TEST: range = 1000-100000000
allow trusted domains = Yes
server signing = mandatory
client signing = mandatory
client use spnego = Yes
ntlm auth = Yes
lanman auth = No
max log size = 100
~~~
Diagnostic Steps
It is Important that we specify the correct uid/gid ranges.
The algorithm for idmap_rid is also in the man pages(man idmap_rid).
THE MAPPING FORMULAS
The Unix ID for a RID is calculated this way:
ID = RID - BASE_RID + LOW_RANGE_ID
The users full SID:
S-1-5-21-1838236636-880256014-2511056669-97249431
We can determine the users RID from this info:
RID = 97249431
Without base_rid set for the specific domain, this defaults to 0.
BASE_RID = 0
The beginning of the uid/gid range is 20000.
LOW_RANGE_ID = 20000
The ID will work out to 97268431.
97269431 = 97249431 - 0 + 20000
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.