From ea5f289905a7d24d22129263061c45010f5b1d92 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 8 Apr 2018 14:40:04 -0500
Subject: [PATCH] roles/winbind: Use ad idmap backend

The `ad` identity mapper backend is apparently the only one that can
use shell, home directory, etc. attributes from the directory now (as of
Samba 4.6).
---
 roles/winbind/defaults/main.yml         |  2 +-
 roles/winbind/templates/winbind.conf.j2 | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/roles/winbind/defaults/main.yml b/roles/winbind/defaults/main.yml
index a006cfa..9b6b93e 100644
--- a/roles/winbind/defaults/main.yml
+++ b/roles/winbind/defaults/main.yml
@@ -1,4 +1,4 @@
-winbind_idmap_range: 16777216-33554431
+winbind_idmap_range: 3000000-3009999
 winbind_nss_info: rfc2307
 winbind_use_default_domain: true
 winbind_offline_login: true
diff --git a/roles/winbind/templates/winbind.conf.j2 b/roles/winbind/templates/winbind.conf.j2
index 2414332..317d72b 100644
--- a/roles/winbind/templates/winbind.conf.j2
+++ b/roles/winbind/templates/winbind.conf.j2
@@ -1,11 +1,13 @@
 template homedir = /home/%U
 template shell = /bin/bash
 
-{% if winbind_idmap_backend is defined %}
-idmap backend = {{ winbind_idmap_backend }}
-idmap config * : backend = {{ winbind_idmap_backend }}
+idmap config * : backend = tdb
+idmap config * : range = 1000000-1000999
+idmap config {{ workgroup }} : backend = ad
+idmap config {{ workgroup }} : range = {{ winbind_idmap_range }}
+{% if winbind_nss_info == 'rfc2307' %}
+idmap config {{ workgroup }} : unix_nss_info = yes
 {% endif %}
-idmap config * : range = {{ winbind_idmap_range }}
 
 kerberos method = {{ winbind_kerberos_method }}