Hi - This question is with reference to: https://wiki.samba.org/index.php/Idmap_config_ad I think I know how this works, but there are still points of confusion. Given the example smb.conf file provided on the page referenced above: [global] section of smb.conf: ------------------------------------- security = ADS workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM log file = /var/log/samba/%m.log log level = 1 # Default ID mapping configuration for local BUILTIN accounts # and groups on a domain member. The default (*) domain: # - must not overlap with any domain ID mapping configuration! # - must use a read-write-enabled back end, such as tdb. idmap config * : backend = tdb idmap config * : range = 3000-7999 # - You must set a DOMAIN backend configuration # idmap config for the SAMDOM domain idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-999999 idmap config SAMDOM:unix_nss_info = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes ------------------------------------- I believe "Default domain" is a bit of a misnomer referring to accounts that are identified by nss before it gets to winbind or sssd; i.e. accounts found in /etc/passwd. So on this system (assuming no other directory services are configured), UIDs 3000-7999 are available for use in /etc/passwd. What I don't understand is why you're assigning a tdb backend to this when the authentication is going to be handled by pam_unix rather than pam_windbind. That's the main point of confusion. Second, I'm assuming these 2 lines: idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-999999 Refer to the values that can be set for the uidNumber attribute in the Active Directory database and further that users authenticating on this linux system will have the UIDs and GIDs specified in the uidNumber and gidNumber attributes associated with their user record. It seems like you don't necessarily need: idmap config SAMDOM:unix_nss_info = yes if everyone uses the same default shell and has the same home directory path; i.e. if these can be set using a global template. Based on the correctness of the above, I"m converting a small NT domain to Active Directory (by hand). The environment has several linux machines with local UIDs assigned in the 1001-2000 range (but with the UIDs the same across the linux hosts). Since I don't plan to bind most of the linux machines to the domain (there is a vague user-driven business case for this), I would like the authorization to work the same for Samba shares to AD bound Windows machines and the standalone linux workstations, since these systems mount the same remote filesystems via either SMB or NFS in the case of the linux systems. So my thought is to do something like this: portion of [global] section of smb.conf ------------------------------------- idmap config * : backend = tdb idmap config * : range = 2000-2999 # - You must set a DOMAIN backend configuration # idmap config for the SAMDOM domain idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 1001-1999 ------------------------------------- Again, very unclear why I'm configuring a tdb database for local accounts, if my understanding of how this works is correct. This would reserve the UIDs 2000-2999 for potential local use, while creating an AD UID mapping that seamlessly works with the existing linux systems. Then if I do end up binding some of these linux machines to the domain, everything just works with no acl mapping, or anything like this. Any thoughts? Am I confused about how this works? My understanding of how the default domain works is based on this RHEL article: https://access.redhat.com/solutions/1984483
To clarify, my previous message, the proposed configuration would be for a linux Samba file server bound to the domain, not the DC, for which, I believe, it is not recommended to use the RFC2307 mappings (also not sure why this is, but since I'm not letting uses login in to the DC, it doesn't matter much). On 9/19/21 1:16 PM, Patrick Goetz via samba wrote:> Hi - > > This question is with reference to: > ?https://wiki.samba.org/index.php/Idmap_config_ad > > I think I know how this works, but there are still points of confusion. > Given the example smb.conf file provided on the page referenced above: > > [global] section of smb.conf: > ------------------------------------- > ? security = ADS > ? workgroup = SAMDOM > ? realm = SAMDOM.EXAMPLE.COM > > ? log file = /var/log/samba/%m.log > ? log level = 1 > > ? # Default ID mapping configuration for local BUILTIN accounts > ? # and groups on a domain member. The default (*) domain: > ? # - must not overlap with any domain ID mapping configuration! > ? # - must use a read-write-enabled back end, such as tdb. > ? idmap config * : backend = tdb > ? idmap config * : range = 3000-7999 > ? # - You must set a DOMAIN backend configuration > ? # idmap config for the SAMDOM domain > ? idmap config SAMDOM:backend = ad > ? idmap config SAMDOM:schema_mode = rfc2307 > ? idmap config SAMDOM:range = 10000-999999 > ? idmap config SAMDOM:unix_nss_info = yes > > ? vfs objects = acl_xattr > ? map acl inherit = yes > ? store dos attributes = yes > ------------------------------------- > > I believe "Default domain" is a bit of a misnomer referring to accounts > that are identified by nss before it gets to winbind or sssd; i.e. > accounts found in /etc/passwd. So on this system (assuming no other > directory services are configured), UIDs 3000-7999 are available for use > in /etc/passwd. What I don't understand is why you're assigning a tdb > backend to this when the authentication is going to be handled by > pam_unix rather than pam_windbind.? That's the main point of confusion. > > > Second, I'm assuming these 2 lines: > > ? idmap config SAMDOM:schema_mode = rfc2307 > ? idmap config SAMDOM:range = 10000-999999 > > Refer to the values that can be set for the uidNumber attribute in the > Active Directory database and further that users authenticating on this > linux system will have the UIDs and GIDs specified in the uidNumber and > gidNumber attributes associated with their user record. > > It seems like you don't necessarily need: > > ? idmap config SAMDOM:unix_nss_info = yes > > if everyone uses the same default shell and has the same home directory > path; i.e. if these can be set using a global template. > > Based on the correctness of the above, I"m converting a small NT domain > to Active Directory (by hand).? The environment has several linux > machines with local UIDs assigned in the 1001-2000 range (but with the > UIDs the same across the linux hosts).? Since I don't plan to bind most > of the linux machines to the domain (there is a vague user-driven > business case for this), I would like the authorization to work the same > for Samba shares to AD bound Windows machines and the standalone linux > workstations, since these systems mount the same remote filesystems via > either SMB or NFS in the case of the linux systems. So my thought is to > do something like this: > > portion of [global] section of smb.conf > ------------------------------------- > idmap config * : backend = tdb > idmap config * : range = 2000-2999 > # - You must set a DOMAIN backend configuration > # idmap config for the SAMDOM domain > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 1001-1999 > ------------------------------------- > > Again, very unclear why I'm configuring a tdb database for local > accounts, if my understanding of how this works is correct. This would > reserve the UIDs 2000-2999 for potential local use, while creating an AD > UID mapping that seamlessly works with the existing linux systems. Then > if I do end up binding some of these linux machines to the domain, > everything just works with no acl mapping, or anything like this. > > Any thoughts?? Am I confused about how this works?? My understanding of > how the default domain works is based on this RHEL article: > https://access.redhat.com/solutions/1984483 > > > >
On Sun, 2021-09-19 at 13:16 -0500, Patrick Goetz via samba wrote:> Hi - > > This question is with reference to: > https://wiki.samba.org/index.php/Idmap_config_ad > > I think I know how this works, but there are still points of > confusion. > Given the example smb.conf file provided on the page referenced > above: > > [global] section of smb.conf: > ------------------------------------- > security = ADS > workgroup = SAMDOM > realm = SAMDOM.EXAMPLE.COM > > log file = /var/log/samba/%m.log > log level = 1 > > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use a read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > # - You must set a DOMAIN backend configuration > # idmap config for the SAMDOM domain > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-999999 > idmap config SAMDOM:unix_nss_info = yes > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > ------------------------------------- > > I believe "Default domain" is a bit of a misnomer referring to > accounts > that are identified by nss before it gets to winbind or sssd;You cannot use sssd with Samba.> i.e. > accounts found in /etc/passwd.No, they are for the AD BUILTIN domain and are not in etc/passwd or /etc/group> So on this system (assuming no other > directory services are configured), UIDs 3000-7999 are available for > use > in /etc/passwd.No, you cannot use that range in /etc/passwd or /etc/group> What I don't understand is why you're assigning a tdb > backend to this when the authentication is going to be handled by > pam_unix rather than pam_windbind. That's the main point of > confusion.That it is where your confusion starts, the ranges set in smb.conf are not handled by pam_unix, they are handled by pam_winbind or pam_krb5> > > Second, I'm assuming these 2 lines: > > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-999999 > > Refer to the values that can be set for the uidNumber attribute in > the > Active Directory database and further that users authenticating on > this > linux system will have the UIDs and GIDs specified in the uidNumber > and > gidNumber attributes associated with their user record.Yes, but whilst the users & groups are authenticated by Samba AD, they are also Unix users & groups> > It seems like you don't necessarily need: > > idmap config SAMDOM:unix_nss_info = yesYou only require this setting if you want to use a specific login shell & home directory per user> > if everyone uses the same default shell and has the same home > directory > path; i.e. if these can be set using a global template. > > Based on the correctness of the above,I think you may need to rethink your ranges etc. Also are you aware that Samba has a way to upgrade an NT4-style domain to an AD domain ?> I"m converting a small NT domain > to Active Directory (by hand). The environment has several linux > machines with local UIDs assigned in the 1001-2000 range (but with > the > UIDs the same across the linux hosts). Since I don't plan to bind > most > of the linux machines to the domain (there is a vague user-driven > business case for this),I would rethink this, it is always better to join machines to the domain.> I would like the authorization to work the same > for Samba shares to AD bound Windows machines and the standalone > linux > workstations,Good luck with that, it is probably impossible to get the same numeric ID's on unjoined machines.> since these systems mount the same remote filesystems via > either SMB or NFS in the case of the linux systems. So my thought is > to > do something like this: > > portion of [global] section of smb.conf > ------------------------------------- > idmap config * : backend = tdb > idmap config * : range = 2000-2999 > # - You must set a DOMAIN backend configuration > # idmap config for the SAMDOM domain > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 1001-1999That will allow you ONE local Unix user and 1998 AD Unix users I wouldn't recommended it.> ------------------------------------- > > Again, very unclear why I'm configuring a tdb database for local > accounts, if my understanding of how this works is correct.You aren't and, unfortunately, it appears you do not understand how it works.> This would > reserve the UIDs 2000-2999 for potential local use, while creating an > AD > UID mapping that seamlessly works with the existing linux systems. > Then > if I do end up binding some of these linux machines to the domain, > everything just works with no acl mapping, or anything like this.If you are using the winbind 'ad' backend, then there is no acl mapping.> > Any thoughts? Am I confused about how this works? My understanding > of > how the default domain works is based on this RHEL article: > https://access.redhat.com/solutions/1984483 >Try reading our documentation: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member https://wiki.samba.org/index.php/Idmap_config_ad If you still do not understand something, please ask. I personally would ignore what you have now and set up a new AD domain and wouldn't use standalone servers, I would join everything to the domain. Rowland