samba - Dec 2013 - Using samba4 with AD and rfc2307 - what are the *current* practices?

I would like to get samba4 working with AD and rfc2307 attributes, while 
allowing the nice remote management available via samba4.

Using sernet-samba packages on 4.1.3-7.el6.x86_64 CentOS 6.

I have samba4 configured as follows:
krb5.conf:
[libdefaults]
default_realm = MAIN.ADLAB.NETDIRECT.CA
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

smb.conf was partially generated by authconfig and is:
[global]
#--authconfig--start-line--

# Generated by authconfig on 2013/12/11 13:33:41
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = MAIN
realm = MAIN.ADLAB.NETDIRECT.CA
security = ads
idmap config * : range = 16777216-33554431
winbind use default domain = true
winbind offline logon = true

#--authconfig--end-line--
winbind enum users = yes
winbind enum groups = yes
idmap config MAIN:backend = ad
idmap config MAIN:schema_mode = rfc2307
idmap config MAIN:range = 10000-100000
winbind nss info = rfc2307
#template shell #template homedir 
[stuff]
path = /var/stuff
read only = No

For reference, I also mention my RODC configured with:
# Global parameters
[global]
workgroup = MAIN
realm = main.adlab.netdirect.ca
netbios name = SLES-BREE
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate

[netlogon]
path = /var/lib/samba/sysvol/main.adlab.netdirect.ca/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No


I have a couple of problems:

1. with winbind set up like so, Administrator can no longer administer 
the server (manage share permissions, printers, etc) like he can without.
* more specifically, on my RODC box I can set up a share and browse to 
it as an admin (or someone with the appropriate privilege) and manage 
the permissions.
* with winbind configured, I don't have a uidNumber assigned to 
Administrator and thus he can't login to the server
* if I assign Administrator a uid, he can then login. But cannot 
administer the shares
* what is the correct thing to do here to get the seamless remote 
administration and winbind both working?

2. on the same server, I'm getting some extraneous group information:
[admin at files ~]$ id michael
uid=50000(michael) gid=10000(domain users) groups=10000(domain 
users),10001(delegated shire administrators),16777222(BUILTIN\users)
[admin at files ~]$ getent passwd michael
michael:*:50000:10000::/home/michael:/bin/bash

Not a huge deal, but would it make sense to map the well-known BUILTIN 
accounts somewhere consistent?
idmap config BUILTIN : backend = rid
idmap config BUILTIN : range = 9000-9999

3. non-NIS groups are not filtered
[admin at files ~]$ wbinfo -r sohnro
10000
-1
-1
16777222
[admin at files ~]$ id sohnro
uid=50015(sohnro) gid=10000(domain users) groups=10000(domain 
users),4294967295,4294967295,16777222(BUILTIN\users)
[admin at files ~]$ getent passwd sohnro
sohnro:*:50015:10000:SohnRo:/home/SohnRo:/bin/sh

Winbind is reporting AD groups that do not have a gidNumber as -1 - 
shouldn't these just be filtered out from the group membership list 
reported back to Linux?

M.

-- 
Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
?: +1 519 883 1172 x5106    | termination of their C programs.' - Firth

On Wed, 2013-12-11 at 17:04 -0500, Michael Brown wrote:
> * what is the correct thing to do here to get the seamless remote 
> administration and winbind both working?
> 
winbind doesn't work on the DC. To do what you wish to do, add:
uidNumber: 1234567
to the DN of Administrator and use sssd or nslcd to extract the
information _directly_ from AD. Same on your remote client.

There are Samba4 howtos for sssd and nslcd.

HTH
Steve

and remember sssd is NOT compatibele with sernet samba. 

Just a reminder.. 


>-----Oorspronkelijk bericht-----
>Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org] 
>Namens steve
>Verzonden: donderdag 12 december 2013 9:13
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Using samba4 with AD and rfc2307 - what 
>are the *current* practices?
>
>On Wed, 2013-12-11 at 17:04 -0500, Michael Brown wrote:
>
>> * what is the correct thing to do here to get the seamless remote 
>> administration and winbind both working?
>> 
>
>winbind doesn't work on the DC. To do what you wish to do, add:
>uidNumber: 1234567
>to the DN of Administrator and use sssd or nslcd to extract the
>information _directly_ from AD. Same on your remote client.
>
>There are Samba4 howtos for sssd and nslcd.
>
>HTH
>Steve
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>