samba - Oct 2013 - Samba 4 Consistent uid gid mapping across servers.

I have 3 Samba 4 Domain Controllers and 1 Member server, been running in 
production for almost a year and very pleased with the results so far.

I have winbind installed and working on all of my servers and I am also 
quite happy with that as well, except that the inconsistent uid and gid 
mapping is starting to cause some problems for me.

I have done a fair bit of research and I think I would like to try 
implementing rfc2307 and using using nss_pam_ldap.

I am pretty comfortable with setting that up.

My question is, that since I did not specify rfc2307 when I originally 
provisioned the domain what is going to be the effect if I try to use it 
after the fact.

First does the schema need to be extended, or is it already present and 
just needs to be activated by adding the rfc2307 options to my existing 
smb.conf, and then restart.
     If not what is the best way to extend it, can I do it from my 
windows server 2003 by adding the "Identity Management for UNIX" role?
     Or are then other tools to accomplish this. I am using the internal 
DNS for Samba.

Second assuming I can get it extended and working, I am assuming that I 
will have to manually update existing unix objects that are already 
owned by the old random uid and gid to the new values.
     Creating a script for this should not be that big of a problem 
since the majority of my users are not actually logging into the Linux 
machines.
     So for the most part it will just be folders and files.
     I already have a script for setting and re-setting permissions 
based on the info retrieved from winbind.

What do you think?

-- 
Wayne Andersen

On Fri, 2013-10-18 at 18:09 -0600, Wayne L. Andersen
wrote:
> I have 3 Samba 4 Domain Controllers and 1 Member server, been running in 
> production for almost a year and very pleased with the results so far.
> 
> I have winbind installed and working on all of my servers and I am also 
> quite happy with that as well, except that the inconsistent uid and gid 
> mapping is starting to cause some problems for me.
> 
> I have done a fair bit of research and I think I would like to try 
> implementing rfc2307 and using using nss_pam_ldap.
My I recommend instead nslcd/nss-ldapd or, even better, sssd? The latter
now has a superb ad backend.
> 
> I am pretty comfortable with setting that up.
> 
> My question is, that since I did not specify rfc2307 when I originally 
> provisioned the domain what is going to be the effect if I try to use it 
> after the fact.
No problem. You can use the full set of rfc2307 attributes perfectly
well without it.
> 
> First does the schema need to be extended, or is it already present and 
> just needs to be activated by adding the rfc2307 options to my existing 
> smb.conf, and then restart.
It is already present in the 2008R2 schema that is shipped out of the
box with Samba.
>      If not what is the best way to extend it, can I do it from my 
> windows server 2003 by adding the "Identity Management for UNIX"
role?
>      Or are then other tools to accomplish this. I am using the internal 
> DNS for Samba.
> 
> Second assuming I can get it extended and working, I am assuming that I 
> will have to manually update existing unix objects that are already 
> owned by the old random uid and gid to the new values.
Yes. You will need to add any rfc2307 attrs you wish to include along
with the other details under the DN of te user or group.
>      Creating a script for this should not be that big of a problem 
> since the majority of my users are not actually logging into the Linux 
> machines.
Not a big deal. You can use wbinfo -i to pull the info fr uidNumber and
gidNumber and ldbmodify. But be warned: do this on a _single_ DC and
add:
idmap_ldb use:rfc2307 = Yes
to smb.conf to all your DC's afterwards.
Give the other DC's plenty of time to replicate after you run your
script. Don't forget to change to idmap config ad on the file servers
too.
>      So for the most part it will just be folders and files.
>      I already have a script for setting and re-setting permissions 
> based on the info retrieved from winbind.
> 
> What do you think?
> 
Great idea. Storing all the attributes for all objects in a single place
is most certainly better than separation just some of the attributes
elsewhere n another database. Keep it simple.

Good luck,
Steve

Please make good backups vefore doing any of this, and make sure you 
double check your edits. This can trash your schema if you are careless.

I was able to get this working by editing the 
/usr/local/src/samba-4.1.0/source4/setup/ypServ30.ldif file to match my 
domain.

I had to change the macros in the file to matc my domain:
${DOMAINDN} = DC=CORP,DC=SAMDOM,DC=COM
${NISDOMAIN} = CN=CORP
${NETBIOSNAME] = CORP

Be careful to make sure to get these correct.

Then using this command to apply the changes.

/usr/local/samba/bin/ldbmodify -H 
/usr/local/samba/private/sam.ldb.d/DC%3DCORP,DC%3DCLIMA-TECH,DC%3DCOM.ldb -U 
administrator /usr/local/src/samba-4.1.0/source4/setup/ypServ30.ldif

I then created an ldif for each user, this is actually automated via a 
puppet script.

cat /tmp/someuser.ldif
dn: CN=Some User,DC=corp,DC=samdom,DC=com
add: objectClass
objectClass: posixAccount
-
add: gidNumber
gidNumber: 100
-
add: uidNumber
uidNumber: 10099



Merged that data like this:
ldapmodify -I -h 10.10.1.199 -f /tmp/someuser.ldif

Test to see if the data was entered properly with this.

bin/ldbsearch -H private/sam.ldb '(objectclass=posixaccount)'

I can then access this easily via ldap either directly for dovecot or 
other apps and through nss-ldap.

I am going to write up a detailed post and put it on-line this weekend.

Wayne Andersen