Hi all, I am deploying a new AD DC for our network using Ubuntu 18.04 and BIND_DLZ. Al lis fine but the RFC2307 attributes on DC. What's the recommended/correct way to use RFC2307 attributes on DC? At the wiki (1) it says:> For example, setting up an ID mapping back end, such as|ad|(RFC2307) > or|rid|, in the|smb.conf|file is not supported an can cause > the|samba|service to failIndeed, I have set a smb.conf with idmap settings below and it stops working after some time, with user/password errors: [global] dns forwarder = 192.168.0.254 netbios name = ARAUCARIA realm = AD.A1.IND.BR server role = active directory domain controller workgroup = A1 server services = -dns log file = /var/log/samba/%m.log log level = 1 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes idmap config * : backend = tdb idmap config * : range = 500-599 idmap config A1 :backend = ad idmap config A1 :schema_mode = rfc2307 idmap config A1 :range = 601-65300 idmap config A1 :unix_nss_info = yes idmap config A1 :unix_primary_group = yes [netlogon] path = /var/lib/samba/sysvol/ad.a1.ind.br/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No I dont want to set a winbind template, I do have rfc2307 information for our users and would like to use them on DC but could not get it working, can someone point me to the right direction? Is winbind the way to go, or should I look to SSSD or LikeWise? (1) https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC Thanks and best regards. -- *Marcio Merlone*
On Wed, 8 Aug 2018 10:18:51 -0300 Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org> wrote:> Hi all, > > I am deploying a new AD DC for our network using Ubuntu 18.04 and > BIND_DLZ. Al lis fine but the RFC2307 attributes on DC. What's the > recommended/correct way to use RFC2307 attributes on DC? At the wiki > (1) it says: > > > For example, setting up an ID mapping back end, such > > as|ad|(RFC2307) or|rid|, in the|smb.conf|file is not supported an > > can cause the|samba|service to fail > Indeed, I have set a smb.conf with idmap settings below and it stops > working after some time, with user/password errors: > > [global] > dns forwarder = 192.168.0.254 > netbios name = ARAUCARIA > realm = AD.A1.IND.BR > server role = active directory domain controller > workgroup = A1 > server services = -dns > > log file = /var/log/samba/%m.log > log level = 1 > > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > idmap config * : backend = tdb > idmap config * : range = 500-599 > > idmap config A1 :backend = ad > idmap config A1 :schema_mode = rfc2307 > idmap config A1 :range = 601-65300 > idmap config A1 :unix_nss_info = yes > idmap config A1 :unix_primary_group = yes > > [netlogon] > path = /var/lib/samba/sysvol/ad.a1.ind.br/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > I dont want to set a winbind template, I do have rfc2307 information > for our users and would like to use them on DC but could not get it > working, can someone point me to the right direction? Is winbind the > way to go, or should I look to SSSD or LikeWise? > > (1) > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC > > Thanks and best regards. > >You really didn't understand the wiki, did you ;-) OK, lets see if I can explain it better: On a DC, by default idmap mapping is done in idmap.ldb and this uses 'xidNumber' attributes, which start at '3000000' The 'ad' winbind backend uses rfc2307 attributes and is only usable on Unix domain members. The 'rid' winbind backend calculates the user or group ID from the AD objects RID and again is only usable on a Unix domain member The only way to have the same ID number everywhere is to use the 'ad' backend, but there is a gotcha, on a DC only the uidNumber & gidNumber attributes from AD are used, you have to set the user shell & home directory with 'template' lines in smb.conf All of this is part of the reason why Samba doesn't recommend using a DC as a fileserver. Lets now look at what I would remove from your smb.conf: dns forwarder = 192.168.0.254 # remove this because you are using bind9 and that is where the forwarder should be set winbind use default domain = yes # doesn't work on a DC winbind enum users = yes winbind enum groups = yes # just slows things down and isn't needed. idmap config * : backend = tdb idmap config * : range = 500-599 idmap config A1 :backend = ad idmap config A1 :schema_mode = rfc2307 idmap config A1 :range = 601-65300 idmap config A1 :unix_nss_info = yes idmap config A1 :unix_primary_group = yes # On top of not working on a DC, you have chosen stupid ranges. You will also need to add this line (which would have been added if you provisioned with '--use-rfc2307': idmap_ldb:use rfc2307 = yes What users and groups have you given uidNumber & gidNumber attributes to ? Also did you use the ranges you set in the DC smb.conf ? Did you follow the Samba wiki or some other howto ? Rowland
Em 08/08/2018 11:15, Rowland Penny via samba escreveu:> On Wed, 8 Aug 2018 10:18:51 -0300 > Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org> wrote: > >> I am deploying a new AD DC for our network using Ubuntu 18.04 and >> BIND_DLZ. Al lis fine but the RFC2307 attributes on DC. What's the >> recommended/correct way to use RFC2307 attributes on DC? At the wiki >> (1) it says: >> >>> For example, setting up an ID mapping back end, such >>> as|ad|(RFC2307) or|rid|, in the|smb.conf|file is not supported an >>> can cause the|samba|service to fail >> Indeed, I have set a smb.conf with idmap settings below and it stops >> working after some time, with user/password errors: >> >> [global] >> dns forwarder = 192.168.0.254 >> netbios name = ARAUCARIA >> realm = AD.A1.IND.BR >> server role = active directory domain controller >> workgroup = A1 >> server services = -dns >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> >> idmap config * : backend = tdb >> idmap config * : range = 500-599 >> >> idmap config A1 :backend = ad >> idmap config A1 :schema_mode = rfc2307 >> idmap config A1 :range = 601-65300 >> idmap config A1 :unix_nss_info = yes >> idmap config A1 :unix_primary_group = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/ad.a1.ind.br/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> I dont want to set a winbind template, I do have rfc2307 information >> for our users and would like to use them on DC but could not get it >> working, can someone point me to the right direction? Is winbind the >> way to go, or should I look to SSSD or LikeWise? >> >> (1) >> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC >> >> Thanks and best regards. >> >> > You really didn't understand the wiki, did you ;-)I guess I did, sort of, but I like to test and push limits. I had to see for myself what happens.> OK, lets see if I can explain it better: > On a DC, by default idmap mapping is done in idmap.ldb and this uses > 'xidNumber' attributes, which start at '3000000'I dont like defaults and templates. But who cares?> The 'ad' winbind backend uses rfc2307 attributes and is only usable on > Unix domain members. > > The 'rid' winbind backend calculates the user or group ID from the AD > objects RID and again is only usable on a Unix domain member > > The only way to have the same ID number everywhere is to use the 'ad' > backend, but there is a gotcha, on a DC only the uidNumber & gidNumber > attributes from AD are used, you have to set the user shell & home > directory with 'template' lines in smb.confThat's the point. Is there any way to get [gu]idNumber, homeDir and shell from AD on the DC? This is probably a silly requirement for my setup, but I'd like to use my AD user also to SSH on the server - among many other systems.> All of this is part of the reason why Samba doesn't recommend using a > DC as a fileserver. > > Lets now look at what I would remove from your smb.conf: > > dns forwarder = 192.168.0.254 > # remove this because you are using bind9 and that is where the > forwarder should be setsamba-tool did it, thanks for the info.> winbind use default domain = yes > # doesn't work on a DC > > winbind enum users = yes > winbind enum groups = yes > # just slows things down and isn't needed. > > idmap config * : backend = tdb > idmap config * : range = 500-599 > idmap config A1 :backend = ad > idmap config A1 :schema_mode = rfc2307 > idmap config A1 :range = 601-65300 > idmap config A1 :unix_nss_info = yes > idmap config A1 :unix_primary_group = yes > # On top of not working on a DC, you have chosen stupid ranges.Thanks for the compliment ;) But why you say they are stupid? Consider there will be no trusted domain nor any other domain at all on the network, and plan is to import users with existing xidNumber from an old existing working LDAP domain - but no domain migration, will take opportunity to fix domain name, sid, etc. and make things right this time.> You will also need to add this line (which would have been added if you > provisioned with '--use-rfc2307': > > idmap_ldb:use rfc2307 = yesSince I cant use *all* rfc2307 info from AD, I see no point for that anymore.> What users and groups have you given uidNumber & gidNumber attributes > to ? Also did you use the ranges you set in the DC smb.conf ?For now just a couple of test users, within those ranges.> Did you follow the Samba wiki or some other howto ?Official samba wiki. Today I have an OpenLDAP server read not just by samba, but by all my services (smtp, imap, proxy, php apps, etc) and my goal was to keep a central user database for all environments as it is today. If that is possible for everything *except* for one system (THE DC), I think I'll have to change my goal. Thanks, best regards. -- *Marcio Merlone*