Home / server / Questions / 172869
Accepted
Phanto
Asked: 2010-08-21 11:09:45 +0800 CST

Configure Winbind to get User Info from Windows

  • 772

I need to configure SAMBA and Winbind on Ubuntu 10.04.1 clients to get their UID, GID, and home directory from Windows Active Directory.

I have Windows Services for Unix installed with the relevant information entered in there (i.e. the UID, GID, shell, etc.).

The problem is that no matter what I try, I cannot get winbind to properly get that information and use it. I know the problem lies in my /etc/samba/smb.conf file. Unfortunately I just can't find any decent documentation whatsoever on how to properly set this up.

Below is my /etc/samba/smb.conf file:

[global]
    security = ads
    realm = DOMAINSERVER.COM
    password server = <<IP.of.domain.server>>
    workgroup = DOMAINSERVER
    winbind refresh tickets = yes
    idmap backend = ad      ## Important
    winbind enum users = yes
    winbind enum groups = yes
    template homedir = /home/%U  ## I tried commenting this out, and it didn't work
    template shell = /bin/bash  ## I tried commenting this out, and it didn't work
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    winbind nss info = sfu     ## Important
    winbind use default domain = yes
    restrict anonymous = 2

I REALLY appreciate the help on this one!

EDIT: The only other thing I can think of that is causing an issue is the fact that I haven't yet cleared the old winbind mapping stored in the /var/lib/samba/ directory. If I clear that out, will that resolve the issue? BTW, I have begun examining this document, however, its age may be of a problem: http://www.ccs.neu.edu/home/battista/articles/winbindenterprise/winbindenterprise.pdf

windows-server-2008 linux active-directory samba winbind

2 Answers

  1. Best Answer

    After finding the configuration listed at this location: http://www.ccs.neu.edu/home/battista/articles/winbindenterprise/winbindenterprise.pdf, I was able to get it working properly (well, for the most part). The primary task I needed to accomplish was to get each user to obtain their own unique UID, which this implementation does.

    I'm not able to retrieve all the informaiton from SFU, but I am able to get each user to get a unique UID which is consistent across all machines. This unique UID is based off of the Windows SID value.

    If someone knows the true fix for this, then I'll mark that as the answer.

    For the time being, the configuration for /etc/samba/smb.conf worked for me:

    [global]
    realm = DOMAINSERVER.COM
    workgroup = DOMAINSERVER
    security = ads
    password server = ip.of.pass.server

    idmap uid = 10000-20000
    idmap gid = 10000-20000
    idmap backend = rid:DOMAINSERVER.COM=10000-20000  ## IMPORTANT ##
    allow trusted domains = no                        ## IMPORTANT ##
    template homedir = /home/%U
    template shell = /bin/bash

    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind refresh tickets = yes        ## For Kerberos ##
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    restrict anonymous = 2

    After updating the file, I stopped the smbd and winbind services. I then navigated to the /var/lib/samba directory, and deleted all the files.

    Once that was completed, I rebooted my machine, and the UID's were based on the last digits of each user's SID, and I have verified that on multiple machines.

    I hope this post was helpful!

    • 2

  2. On the off chance this helps somebody: the way to get Winbind to notice the Unix login shell and home directory information from Active Directory is by adding the following to smb.conf:

    winbind nss info = rfc2307
    • 2