samba - Oct 2015 - Samba AD PDC , LDAP and Single-Sign-On

Rowland - thanks for your reply. I did send a message after this one you
responded to with several other questions, but I'll pursue questioning on
GID/UID in this reply as that is what you've mainly discussed. But, please
check
out that next email for other questions. Thanks.

For a particular domain user in the AD, wbinfo gives:

$ wbinfo -i mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false

Main question: what should the range settings be in my client smb.conf? Or, are
these really bad GID/UIDs to use and I should change them?

Background: why do I have these GID(100) UIDs(300000xx)? The answer is that I
created domain users on the AD via RSAT > Active Directory Users and
Computers.
These are apparently the GID and UID range assigned by default. The ADUC >
username > properties > Unix Attributes, UID and GID fields are blank, so
I
guess 100:30000xx are picked by default.

Can I work with what I have or should I change these?

There are no other actual local users on either the AD or client aside from me
(100:1000 mfoley) other than the built-in accounts (root, bin, daemon, adm, lp
...) and services accounts (dovecot, spamd, mysql, ...).  No other actual local
users. 

How do you recomend I proceed with my idmap range configuration?

--Mark

-----Original Message-----
> Date: Fri, 09 Oct 2015 09:12:31 +0100
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>
> On 08/10/15 23:24, Mark Foley wrote:
> > On Thu, 08 Oct 2015 21:52 Rowland Penny wrote:
> >
> >> What you cannot do is use GPO's like windows does, everything
else is
> >> possible, you just need to setup the clients correctly.
> > Excellent! I've been messing around with GPOs on Windows AD
domains for years,
> > more extensively this past year with Samba4 AD/DC and I absolutely
hate them.
> > In my opinion they are yet another attempt by Microsoft to shore up a
> > fundamentally insecure OS.  I have yet to find a GPO that would be
worthwhile in
> > Linux.  "Trust Center"? Gee, can't execute macros in
Linux that run as root -
> > don't need that.  "Remote Desktop GPO"? How about VNC. 
I've got more, lots
> > more, but I'll stop.  If you can give me an example of one GPO
that would be
> > useful in Linux I'll moderate my position.  Sorry to get on a
rant, but if we do
> > manage to convert away from Windows, I say "good riddance"
to GPOs!
> >
> >> There is a page on the Samba wiki that purports to be for a member
> >> server, well, in my opinion, it is just the basic setup and you
would
> >> need to extend it to make it a proper member server, you can also
use
> >> this basic setup for a workstation.
> >>
> >> Most, if not all, of the information you require is on the wiki
and you
> >> only have to ask here about any gaps you find.
> > That's great!!! I've been searching for that particular wiki
for a couple of
> > months now without success.  Can you point me to it? Are you referring
to
> > Sketch's link?
> >
> > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Yes that is the page, but what you have to understand is that a proper 
> 'member server' is just a Unix client on steroids :-D
>
> If you follow that wiki page, you will end up with a Unix client just 
> like this one I am typing this on. The wiki page shows how to use the 
> 'ad' backend, with this you need to add 'uidNumber' &
'gidNumber'
> attributes to your users & groups in AD, but you could use the
'rid'
> backend instead and not need to add anything.
> The ranges shown on the wiki page '2000-9999' &
'10000-99999' were
> chosen because you need to have somewhere to store the well-known RIDs 
> and your users & groups. The lower range was chosen for the well-known 
> RIDs because:
> A) there are only approx 100 of them at present'
> B) the chosen range will allow a small amount of local users (not that 
> you actually need local users) to fix things if connection to the domain 
> is broken.
> The upper range was chosen because '10000' is where ADUC starts
from and
> '99999' allows for the number to be raised i.e. you could add
another '9'
>
> How do I know all this? simple, it is my basic smb.conf :-)
>
> Once you have the basic smb.conf and the workstation joined to the 
> domain, you could, if you wish, upgrade the workstation to a proper 
> member server (by adding the profiles stanza) or a fileserver by adding 
> shares, or a print server, I think you get the drift by now.
>
> You can do more, the info (hopefully) is on the wiki and if it isn't, 
> ask here, there are no stupid questions :-)
>
> Rowland
>
> >
> > --Mark
> >
> > -----Original Message-----
> >> Date: Thu, 08 Oct 2015 21:52:04 +0100
> >> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> >> To: samba at lists.samba.org
> >> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
> >>
> >> On 08/10/15 21:17, Mark Foley wrote:
> >>> On Oct 8 2015 09:32 Rowlan Penny wrote:
> >>>
> >>>> It might help if you were to explain just what you require
from single-sign-on ?
> >>> Well, perhaps I'm mistaken, but is this not the #1 reason
to install Samba4?
> >>>   From reading this list over the past couple of months it
does not seem that
> >>> Authenticating users on Windows workstations is the main thing
people do.  But,
> >>> is not the ability to authenticate user logins from any (Linux
or Windows)
> >>> workstation in the domain the chief purpose of Samab4? If not,
please straighten
> >>> me out.  What's it good for?
> >>>
> >>> As to what *I* require, scenario: I am sitting at a linux
workstation on our
> >>> office network, any linux workstation, not just the one in
*my* office.  I have
> >>> a login prompt.  I don't have a specific local account
configured in /etc/passwd
> >>> on this particular workstation.  I log in using my ID/PW which
is authenticated
> >>> centrally (presumably via the Samba4 AD/DC), and I'm
logged in! I'm not quite sure
> >>> where I'm logged into yet, but I'll cross that bridge
when I come to it.
> >>>
> >>> In Windows, using Samba4 AD/DC, this is a snap.  I just join
the domain via
> >>> Start > Computer > Properties > Advanced System
Settings > Computer Name >
> >>> Change, and click 'Domain'.  I have to fill in the
domain name, enter the Domain
> >>> Administrator credentials and I'm done.  Now, any domain
user can log into any
> >>> Windows workstation anywhere on the domain.
> >>>
> >>> That's basically what I want to do with Linux
workstations. I need to sort this
> >>> out because we are looking at replacing Windows workstations
with Linux
> >>> workstations.
> >>>
> >>> I will investigate the recommendations posted by L.P.H. van
Belle and Guilherme
> >>> Boing and see if I can make some headway.
> >>>
> >>>> Date: Thu, 08 Oct 2015 09:32:31 +0100
> >>>> From: Rowland Penny <rowlandpenny241155 at
gmail.com>
> >>>> To: samba at lists.samba.org
> >>>> Subject: Re: [Samba] Samba AD PDC , LDAP and
Single-Sign-On
> >>>>
> >>>> On 08/10/15 04:16, Mark Foley wrote:
> >>>>> I'm very confused. I have a Samba4 AD/DC which
works great for Windows
> >>>>> Authentication with our Windows 7 workstations.
> >>>>>
> >>>>> Now, I am trying to implement single-sign-on for our
coming-soon Linux workstations.
> >>>> It might help if you were to explain just what you require
from
> >>>> single-sign-on ?
> >>>>
> >>>> Rowland
> >>>>
> >>>>> All web documentation I've so far found on this
references OpenLDAP as the server
> >>>>> and describes server-side commands such as kadmin and
slapd-config to get things
> >>>>> set up on the server-side (e.g.
https://help.ubuntu.com/community/SingleSignOn)
> >>>>> which don't exist on the Samba4 AD/DC.
> >>>>>
> >>>>> Samaba4 apparently has it's own LDAP (Heimdal?)
implementation.  Does this mean
> >>>>> everything should "just work" with LDAP
clients and I need do no further
> >>>>> server-side configuration? Or does it mean,
"sorry, you can't do LDAP
> >>>>> Authentication with Samba4."
> >>>>>
> >>>>> Please clarify so I can make some decisions.
> >>>>>
> >>>>> btw - the following command *does* work from a Linux
client on the network:
> >>>>>
> >>>>> ldapsearch -xLLL -H ldap://mail:389 -D
"cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b
"dc=HPRS,dc=local"
> >>>>>
> >>>>> --Mark
> >>>>>
> >>>>>
> >>>>>
> >>>> -- 
> >>>> To unsubscribe from this list go to the following URL and
read the
> >>>> instructions: 
https://lists.samba.org/mailman/options/samba
> >>>>
> >> So, you want to use a Linux computer just like a windows computer,
well
> >> you can and you can't :-)
> >>
> >> What you cannot do is use GPO's like windows does, everything
else is
> >> possible, you just need to setup the clients correctly.
> >>
> >> The first thing you need to understand is there is only one basic
way to
> >> setup Samba in an AD domain, it is what you do with Samba after
this
> >> that defines what it will be used for.
> >> There is a page on the Samba wiki that purports to be for a member
> >> server, well, in my opinion, it is just the basic setup and you
would
> >> need to extend it to make it a proper member server, you can also
use
> >> this basic setup for a workstation.
> >>
> >> Most, if not all, of the information you require is on the wiki
and you
> >> only have to ask here about any gaps you find.
> >>
> >> Rowland
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 09/10/15 18:09, Mark Foley wrote:
> Rowland - thanks for your reply. I did send a message after this one you
> responded to with several other questions, but I'll pursue questioning
on
> GID/UID in this reply as that is what you've mainly discussed. But,
please check
> out that next email for other questions. Thanks.
>
> For a particular domain user in the AD, wbinfo gives:
>
> $ wbinfo -i mark
> HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false
Ah but those numbers *do not* come from AD, they come from 'idmap.ldb'
You can change them easily by adding a uidNumber to each user and a 
gidNumber to Domain Users. What numbers you use is up to you, but ADUC 
starts them at '10000'. Another thing that you should be aware of is, 
the numbers you refer to will only occur on a DC, you will never see 
them on a Unix member server or workstation.
>
> Main question: what should the range settings be in my client smb.conf? Or,
are
> these really bad GID/UIDs to use and I should change them?
See the smb.conf on the member server wiki page, just be aware that you 
can use the same range for users and groups i.e. the uidNumber 10000 is 
not the same as gidNumber 10000
> Background: why do I have these GID(100) UIDs(300000xx)? The answer is that
I
> created domain users on the AD via RSAT > Active Directory Users and
Computers.
> These are apparently the GID and UID range assigned by default. The ADUC
>
> username > properties > Unix Attributes, UID and GID fields are
blank, so I
> guess 100:30000xx are picked by default.
Yes, as I said, they are set in idmap.ldb by samba and no you don't have 
to use them
>
> Can I work with what I have or should I change these?
You can work with what you have got, but you don't have to, you can 
change them and if you are only going to use ADUC, I can point you at a 
couple of attributes that will make it easier to create unix users, 
these attributes will store the next uidNumber & gidNumber in AD.
> There are no other actual local users on either the AD or client aside from
me
> (100:1000 mfoley) other than the built-in accounts (root, bin, daemon, adm,
lp
> ...) and services accounts (dovecot, spamd, mysql, ...).  No other actual
local
> users.
>
> How do you recomend I proceed with my idmap range configuration?
/It is up to you, but I would use lower numbers

/Rowland

Thanks again for your quick reply ...

You wrote:
> > $ wbinfo -i mark
> > HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false
>
> Ah but those numbers *do not* come from AD, they come from
'idmap.ldb'
Hmmm, so my Samba4 assigned them when I ADUC-added the user? Maybe this is not
an answerable question, but why is it picking those GID/UIDs? Why is it not
picking 100000:100000 since other things (like member server) are expecting
something in that range? Is this a configuration option I could have set in my
AD smb.conf? That smb.conf was auto-generated by samba-tool provision, so that
seems like a good place to create a default idmap.

Anyway, that's water under the bridge ...
> > Can I work with what I have or should I change these?
>
> You can work with what you have got, but you don't have to, you can 
> change them and if you are only going to use ADUC, I can point you at a 
> couple of attributes that will make it easier to create unix users, 
> these attributes will store the next uidNumber & gidNumber in AD.
Yes, point me! Even if I don't go that route now, I should know how to do
that.
I will definitely be adding more users in the future.
> > How do you recomend I proceed with my idmap range configuration?
>
> /It is up to you, but I would use lower numbers
Here's a bit of a wrinkle I haven't mentioned yet that would incline me
to stick
with what I have ...

I've also added these users to /etc/[password|shadow]. So, for the wbinfo
shown
above I have in /etc/passwd:

mark:x:3000026:100:Mark Foley:/home/HPRS/mark:/bin/bash

I'm doing this for the sake of email.  This AD server is also the email
server.
The email agents I'm using: sendmail, procmail, dovecot don't seem to
understand
AD authentication (well, dovecot might via the LDAP mechanism, but I've not
been
able to get that to work after many months of trying).  So, sendmail, via
procmail and .procmailrc, delivers mail to the user's Maildir folder in
their
home directories -- which are all owned by e.g. 100:300000xx -- from where
Dovecot picks them up for delivery to Outlook and other email clients.

Furthermore, since this AD/DC server is acting as a SBS replacement, the
/redirectedFolders/User/username files and directories are also owned by their
respective users' GID:UID.

So, I *could* change ownership of the users's home [sub]directories,
redirected
folder [sub]directories and /etc/passwd UID:GID, but I'd rather not if I
don't
have to. 

Critiques of the above are welcomed.

If, as you say, I can work with what I have, what would my 'member
server' idmap
statements look like?

idmap config *:backend = tdb
idmap config *:range = 100-3000099
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 100-3000099

Does the range have to include the GID? (100)

Frankly, even after reading the 
https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html wiki, I don't
really get the differentiation between 'idmap config *' and 'idmap
config DOMAIN'

Do I have to have something similar on the AD/DC? Right now, there are no idmap
statements in that smb.conf.

Thanks for your time (and patience), --Mark

-----Original Message-----
> Date: Fri, 09 Oct 2015 19:25:18 +0100
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>
> On 09/10/15 18:09, Mark Foley wrote:
> > Rowland - thanks for your reply. I did send a message after this one
you
> > responded to with several other questions, but I'll pursue
questioning on
> > GID/UID in this reply as that is what you've mainly discussed.
But, please check
> > out that next email for other questions. Thanks.
> >
> > For a particular domain user in the AD, wbinfo gives:
> >
> > $ wbinfo -i mark
> > HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false
>
> Ah but those numbers *do not* come from AD, they come from
'idmap.ldb'
> You can change them easily by adding a uidNumber to each user and a 
> gidNumber to Domain Users. What numbers you use is up to you, but ADUC 
> starts them at '10000'. Another thing that you should be aware of
is,
> the numbers you refer to will only occur on a DC, you will never see 
> them on a Unix member server or workstation.
>
> >
> > Main question: what should the range settings be in my client
smb.conf? Or, are
> > these really bad GID/UIDs to use and I should change them?
>
> See the smb.conf on the member server wiki page, just be aware that you 
> can use the same range for users and groups i.e. the uidNumber 10000 is 
> not the same as gidNumber 10000
>
> > Background: why do I have these GID(100) UIDs(300000xx)? The answer is
that I
> > created domain users on the AD via RSAT > Active Directory Users
and Computers.
> > These are apparently the GID and UID range assigned by default. The
ADUC >
> > username > properties > Unix Attributes, UID and GID fields are
blank, so I
> > guess 100:30000xx are picked by default.
>
> Yes, as I said, they are set in idmap.ldb by samba and no you don't
have
> to use them
>
> >
> > Can I work with what I have or should I change these?
>
> You can work with what you have got, but you don't have to, you can 
> change them and if you are only going to use ADUC, I can point you at a 
> couple of attributes that will make it easier to create unix users, 
> these attributes will store the next uidNumber & gidNumber in AD.
>
> > There are no other actual local users on either the AD or client aside
from me
> > (100:1000 mfoley) other than the built-in accounts (root, bin, daemon,
adm, lp
> > ...) and services accounts (dovecot, spamd, mysql, ...).  No other
actual local
> > users.
> >
> > How do you recomend I proceed with my idmap range configuration?
>
> /It is up to you, but I would use lower numbers
>
> /Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>