roles/winbind: Use ad idmap backend

The `ad` identity mapper backend is apparently the only one that can use shell, home directory, etc. attributes from the directory now (as of Samba 4.6).
2018-04-08 14:40:04 -05:00 · 2018-04-08 14:40:04 -05:00 · ea5f289905
parent 5489ddac1f
commit ea5f289905
2 changed files with 7 additions and 5 deletions
--- a/roles/winbind/defaults/main.yml
+++ b/roles/winbind/defaults/main.yml
@ -1,4 +1,4 @@
-winbind_idmap_range: 16777216-33554431
+winbind_idmap_range: 3000000-3009999
 winbind_nss_info: rfc2307
 winbind_use_default_domain: true
 winbind_offline_login: true
--- a/roles/winbind/templates/winbind.conf.j2
+++ b/roles/winbind/templates/winbind.conf.j2
@ -1,11 +1,13 @@
 template homedir = /home/%U
 template shell = /bin/bash

-{% if winbind_idmap_backend is defined %}
-idmap backend = {{ winbind_idmap_backend }}
-idmap config * : backend = {{ winbind_idmap_backend }}
+idmap config * : backend = tdb
+idmap config * : range = 1000000-1000999
+idmap config {{ workgroup }} : backend = ad
+idmap config {{ workgroup }} : range = {{ winbind_idmap_range }}
+{% if winbind_nss_info == 'rfc2307' %}
+idmap config {{ workgroup }} : unix_nss_info = yes
 {% endif %}
-idmap config * : range = {{ winbind_idmap_range }}

 kerberos method = {{ winbind_kerberos_method }}