Hello list- As a FreeBSD shop we've used Samba 3.x quite well for a couple years. With version 3.6 due to expire in due time, we've been experimenting with version 4.1 using winbindd with very limited success. We find that if we use the TDB backend instead of either RID or AD, we are able to enumerate our AD users via getent. I cannot enumerate AD users via either the AD or the RID backends. This doesn't strike me as a method I want to use especially when the numerical users/groups mappings differ between servers. I saw a posting where it was recommended that FreeBSD sysadmins use either nslcd or sssd in order to enumerate AD users. After a period of experimentation, I can enumerate AD users successfully via nslcd (using bindpw) using the getent command. I can ssh into a FreeBSD box with my AD user credentials! The nslcd mappings are as follows: # Alternative mappings for Active Directory # (replace the SIDs in the objectSid mappings with the value for your domain) pagesize 1000 referrals off #idle_timelimit 800 filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer))) #map passwd uid cn map passwd uid sAMAccountName map passwd uidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX map passwd gidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX map passwd homeDirectory "/home/$cn" map passwd gecos displayName map passwd loginShell "/bin/csh" #filter group (|(objectClass=group)(objectClass=person)) filter group (objectClass=group) map group gidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX The next question is how to authenticate AD users using samba 4.1. What is the recommended method for authenticating AD users via samba 4.1 and nslcd? Should I use the smbpasswd auth method -i.e. using the migrate keyword to migrate auth info from the passwd/group files to the smbpasswd database? Or should I use ldap using the same mappings that nslcd uses? If it is suggested that smbpasswd be used, which PAM policy should I use for Samba user authentication? The default FreeBSD implementation does not offer a policy for the Samba service. Here are the default policies: root at cache:/home# ll /etc/pam.d/ total 64 -r--r--r-- 1 root wheel 2911 Jan 16 2014 README -rw-r--r-- 1 root wheel 322 Jan 16 2014 atrun -rw-r--r-- 1 root wheel 199 Jan 16 2014 cron -rw-r--r-- 2 root wheel 531 Jan 16 2014 ftp -rw-r--r-- 2 root wheel 531 Jan 16 2014 ftpd -rw-r--r-- 1 root wheel 365 Jan 16 2014 imap -rw-r--r-- 1 root wheel 588 Oct 10 12:16 login -rw-r--r-- 1 root wheel 907 Oct 10 11:12 other -rw-r--r-- 1 root wheel 318 Jan 16 2014 passwd -rw-r--r-- 1 root wheel 365 Jan 16 2014 pop3 -rw-r--r-- 1 root wheel 328 Jan 16 2014 rsh -rw-r--r-- 1 root wheel 884 Oct 10 13:46 sshd -rw-r--r-- 1 root wheel 384 Jan 16 2014 su -rw-r--r-- 1 root wheel 714 Jan 16 2014 system -rw-r--r-- 1 root wheel 764 Jan 16 2014 telnetd -rw-r--r-- 1 root wheel 529 Jan 16 2014 xdm root at cache:/home# Which one of these policies should be used for Samba? If it is suggested to use LDAP, I am finding that this link: https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607186 may be outdated. The use of 'ldap backend' appears to be outdated. Where can I find the current version of how to connect Samba using LDAP? Obviously I remain unclear as to what the best way to accomplish authentication via Samba 4.1. Any pointers/clarifications would be greatly appreciated! This is on a FreeBSD 10.0 machine. ~Doug
On 14/10/14 20:20, Doug Sampson wrote:> Hello list- > > As a FreeBSD shop we've used Samba 3.x quite well for a couple years. With version 3.6 due to expire in due time, we've been experimenting with version 4.1 using winbindd with very limited success.Hi, yes you are right, 3.6 will reach EOL very soon, it is supposed to be when 4.2 is released, which could be tomorrow ;-) but then again it could be another RC. But you should be able to do anything with 4.1 that you did with 3.6, it is based on the same code.> We find that if we use the TDB backend instead of either RID or AD, we are able to enumerate our AD users via getent. I cannot enumerate AD users via either the AD or the RID backends. This doesn't strike me as a method I want to use especially when the numerical users/groups mappings differ between servers.You should be able to enumerate users with any backend, but if you use the ad backend, your users would need a uidNumber at least.> > I saw a posting where it was recommended that FreeBSD sysadmins use either nslcd or sssd in order to enumerate AD users. After a period of experimentation, I can enumerate AD users successfully via nslcd (using bindpw) using the getent command. I can ssh into a FreeBSD box with my AD user credentials! The nslcd mappings are as follows: > > # Alternative mappings for Active Directory > # (replace the SIDs in the objectSid mappings with the value for your domain) > pagesize 1000 > referrals off > #idle_timelimit 800 > filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))You could use (&(objectClass=user)(!(objectClass=computer))) or (&(objectClass=person)(!(objectClass=computer))), both would work, it's the not being a computer part that is important.> #map passwd uid cn > map passwd uid sAMAccountName > map passwd uidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX > map passwd gidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX > map passwd homeDirectory "/home/$cn" > map passwd gecos displayName > map passwd loginShell "/bin/csh" > #filter group (|(objectClass=group)(objectClass=person)) > filter group (objectClass=group) > map group gidNumber objectSid:S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX > > The next question is how to authenticate AD users using samba 4.1. What is the recommended method for authenticating AD users via samba 4.1 and nslcd? Should I use the smbpasswd auth method -i.e. using the migrate keyword to migrate auth info from the passwd/group files to the smbpasswd database? Or should I use ldap using the same mappings that nslcd uses?If you need to authenticate AD users, then the easiest way will probably to run samba 4.1 as a DC. Rowland> > If it is suggested that smbpasswd be used, which PAM policy should I use for Samba user authentication? The default FreeBSD implementation does not offer a policy for the Samba service. Here are the default policies: > > root at cache:/home# ll /etc/pam.d/ > total 64 > -r--r--r-- 1 root wheel 2911 Jan 16 2014 README > -rw-r--r-- 1 root wheel 322 Jan 16 2014 atrun > -rw-r--r-- 1 root wheel 199 Jan 16 2014 cron > -rw-r--r-- 2 root wheel 531 Jan 16 2014 ftp > -rw-r--r-- 2 root wheel 531 Jan 16 2014 ftpd > -rw-r--r-- 1 root wheel 365 Jan 16 2014 imap > -rw-r--r-- 1 root wheel 588 Oct 10 12:16 login > -rw-r--r-- 1 root wheel 907 Oct 10 11:12 other > -rw-r--r-- 1 root wheel 318 Jan 16 2014 passwd > -rw-r--r-- 1 root wheel 365 Jan 16 2014 pop3 > -rw-r--r-- 1 root wheel 328 Jan 16 2014 rsh > -rw-r--r-- 1 root wheel 884 Oct 10 13:46 sshd > -rw-r--r-- 1 root wheel 384 Jan 16 2014 su > -rw-r--r-- 1 root wheel 714 Jan 16 2014 system > -rw-r--r-- 1 root wheel 764 Jan 16 2014 telnetd > -rw-r--r-- 1 root wheel 529 Jan 16 2014 xdm > root at cache:/home# > > Which one of these policies should be used for Samba? > > If it is suggested to use LDAP, I am finding that this link: > > https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607186 > > may be outdated. The use of 'ldap backend' appears to be outdated. Where can I find the current version of how to connect Samba using LDAP? > > Obviously I remain unclear as to what the best way to accomplish authentication via Samba 4.1. Any pointers/clarifications would be greatly appreciated! This is on a FreeBSD 10.0 machine. > > ~Doug
On 16:46:19 wrote Doug Sampson:> Hello list- > > As a FreeBSD shop we've used Samba 3.x quite well for a couple years. > With version 3.6 due to expire in due time, we've been experimenting > with version 4.1 using winbindd with very limited success.Why do you wish to change things, if you have a working setup? Just run samba 4.1.x in classic mode, aka samba 3, aka NT-style https://wiki.samba.org/index.php/User_Documentation do not have much information about classic mode. Read the man pages and/or the "Official Samba 3 HOWTO. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/index.html You may use samba 4.1.x in the same way as samba 3.6.x Surely, their are some things to watch. The most important one is different defaults for a lot of smb.conf parameters and some new ones. testparm -s -v /dev/null > samba-<version>.default.conf shows you all default settings. Do it on your 3.6 server and on your new server. So you know old and new defaults. testparm -s > samba-<version>.running.conf again, do it on both servers If I need to migrate a 3.x Server to 4.x first thing I will do is to change new default settings to old ones. For share setups, the new default is read only, so you may add read only = No for each share definition. nss and pam configs should be the same. -- Regards Harry Jede
Reasonably Related Threads
- What is wrong with my nslcd configuration?
- Cannot bind to AD using nslcd
- Samba4 Winbind - is it really not possible to be sensible?
- Samba4 LDAP ACLs - access to POSIX attributes from a non-admin account
- nslcd service - "Client not found in Kerberos database"