Winbind on Samba4 II

OK. I'm not giving up on this one. We have nss-pam-ldap working perfectly against Samba4 LDAP. We want to compare it with nss-winbind performance.

We need to pull the uid:gid number pair from LDAP. nss-ldapd just does it but we are experimeting with winbind at both ends. This is proving to be a real pita.

Let's have a go. We're on openSUSE 12.1 with a Samba4 beta 6 checkout from today
Samba 4 DC with s3fs and nfs file server
smb.conf needs:
idmap enum users = Yes
idmap enum groups = Yes
login shell = /bin/bash
idmap_ldb:use rfc2307 = Yes
(note: no white space either side of the ":")

Samba 3.6 clients. We're also on openSUSE 12.1 with Samba 3.6.3 patched a thousand times to make it work
idmap config : backend = ad
idmap config : range = 20000-4000000

UPDATE: Final solution for smb.conf on 3.6 which pulls all rfc2307 from the Samba4 AD.

realm = polop.site
workgroup = ALTEA
security = ADS

winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-4000
idmap config ALTEA:backend = ad
idmap config ALTEA:range = 20000-40000000
idmap config ALTEA:schema_mode = rfc2307 
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes 

I add a sample user object to AD and add:

objectClass: posixAccount
uidNumber: 3000027
gidNumber: 20513

I use Domain Users as my default group so add::
objectClass: posixGroup
gidNumber: 20513

I choose 20513 for readability. 513 is the rid for Domain Users and adding 20000 to it keeps it out of the way of local users.

UPDATE: Samba4 DC working with uidNumber and gidNumber being pulled from AD. Whahey! Unfortunately that's as good as it gets with winbind. To pull the whole of rfc2307 on the DC, you must use e.g. nss-ldapd or even better, sssd with its own ad backend.