samba - Apr 2015 - NSLCD works, do I need RFC2307 extensions enabled in AD as well?

Hello all,

I've just installed Samba 3.6.6 from the Debian Stable repo. I want to use
this linux box as a smb file server for windows clients.

I installed NSLCD to allow users in AD to authenticate against my linux
server per
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd

getent passwd and getent group returns domain users with UID mappings like:

tempuser at vanguard.mydomain.org:*:16043:16043:temp
user:/home/VANGUARD/tempuser:/bin/bash

Those same users can log into the linux box with their domain credentials
via ssh and create files owned by them

However I can't figure out how to configure Samba to allow these same users
to access a samba file share via a windows 7 client. I thought that Samba
would check /etc/nsswitch.conf like other services and use ldap just like
ssh would.

the relevant part of my nsswitch.conf file looks like:

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

Do I need to install RFC2307 extensions per
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Administer_Unix_Attributes_in_Active_Directory

and then add something like the following to my smb.conf file?

idmap config DOMAIN:backend = ad
winbind nss info = sfu

Any advice is appreciated!

Thanks!

John

Greetings, john!
> I've just installed Samba 3.6.6 from the Debian Stable repo. I want to
use
> this linux box as a smb file server for windows clients.
> I installed NSLCD to allow users in AD to authenticate against my linux
> server per
>
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
> getent passwd and getent group returns domain users with UID mappings like:
> tempuser at vanguard.mydomain.org:*:16043:16043:temp
> user:/home/VANGUARD/tempuser:/bin/bash
> Those same users can log into the linux box with their domain credentials
> via ssh and create files owned by them
> However I can't figure out how to configure Samba to allow these same
users
> to access a samba file share via a windows 7 client. I thought that Samba
> would check /etc/nsswitch.conf like other services and use ldap just like
> ssh would.
> the relevant part of my nsswitch.conf file looks like:
> passwd:         compat ldap
> group:          compat ldap
> shadow:         compat ldap
This is for POSIX users. Samba has nothing to do with them, other than to map
Windows users to POSIX uids sometimes.
Normally, Samba servers communicate with each other directly, without falling
down to POSIX layer.
> Do I need to install RFC2307 extensions per
>
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Administer_Unix_Attributes_in_Active_Directory
You have to tell a little more about your setup, to begin with.
> and then add something like the following to my smb.conf file?
> idmap config DOMAIN:backend = ad
> winbind nss info = sfu
> Any advice is appreciated!
No advice before I know, what you actually have on hand.
I'm not breaking other people's systems for fun.


-- 
With best regards,
Andrey Repin
Saturday, April 18, 2015 02:47:31

Sorry for my terrible english...

On 17/04/15 23:48, john wrote:
> Hello all,
>
> I've just installed Samba 3.6.6 from the Debian Stable repo. I want to
use
> this linux box as a smb file server for windows clients.
Is this wheezy ? if so, it might be an idea to use backports, this will 
get you 4.1.17 which is still in development, 3.6 is now EOL
>
> I installed NSLCD to allow users in AD to authenticate against my linux
> server per
>
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
Why use nlscd ? why not use winbind, see: 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> getent passwd and getent group returns domain users with UID mappings like:
>
> tempuser at vanguard.mydomain.org:*:16043:16043:temp
> user:/home/VANGUARD/tempuser:/bin/bash
Well, that's wrong for a start, you seem to be getting the users 
principal name, it should look like:

rowland:*:10000:10000::/home/rowland:/bin/bash

This is the userPrincipalName attribute for the user above:

userPrincipalName: rowland at example.com

> Those same users can log into the linux box with their domain credentials
> via ssh and create files owned by them
>
> However I can't figure out how to configure Samba to allow these same
users
> to access a samba file share via a windows 7 client. I thought that Samba
> would check /etc/nsswitch.conf like other services and use ldap just like
> ssh would.
No, this is down to whatever you are using for authentication. Can you 
post your smb.conf ?

Rowland
> the relevant part of my nsswitch.conf file looks like:
>
> passwd:         compat ldap
> group:          compat ldap
> shadow:         compat ldap
>
> Do I need to install RFC2307 extensions per
>
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Administer_Unix_Attributes_in_Active_Directory
>
> and then add something like the following to my smb.conf file?
>
> idmap config DOMAIN:backend = ad
> winbind nss info = sfu
>
> Any advice is appreciated!
>
> Thanks!
>
> John

Hello Andrey, thanks for the reply! I apologize for my delayed response!

On Fri, Apr 17, 2015 at 4:54 PM, Andrey Repin <anrdaemon at yandex.ru>
wrote:
> Greetings, john!
>
> This is for POSIX users. Samba has nothing to do with them, other than to
> map
> Windows users to POSIX uids sometimes.
> Normally, Samba servers communicate with each other directly, without
> falling
> down to POSIX layer.
>
> > Do I need to install RFC2307 extensions per
> >
>
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Administer_Unix_Attributes_in_Active_Directory
>
> You have to tell a little more about your setup, to begin with.
>
I am in the process of replacing an older Samba file server ver 3.5.6
running on Debian 6. This file server uses winbind with the idmap_rid
method for user mapping. It's been working well for 8 years or so.

We have a several Windows Domain Controllers running Win2K8R2 and a couple
running 2012R2. We have a single domain. I'd like the new Samba server to
be a member rather than a PDC. I have successfully joined this server to
the domain via kerberos, but don't necessarily need to use kerberos as my
auth method.

The reason I want to change from idmap_rid to an LDAP based method (hence
NSLCD) is we are trying to standardize all user logons accross all devices
to use UPN names which have the format username at ourdomain.org My
understanding from this thread of last year
https://lists.samba.org/archive/samba/2014-May/181372.html is that winbind
doesn't support UPN names. I was hoping to work around it with NSLCD


Here is my non-working smb.conf file for reference.
[global]
    workgroup = VANGUARD
    server string = sserve
    passdb backend = ldapsam:ldap://kram.vanguard.mydomain.org
    username map = /etc/samba/smbusers
    syslog = 0
    log file = /var/log/samba/%m
    smb ports = 139 445
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    name cache timeout = 3600
    max stat cache size = 16384
    domain logons = Yes
    preferred master = Auto
    domain master = No
    wins support = Yes
    ldap idmap suffix = ou=Idmap
    idmap config * : range = 10000-200000
    ldapsam:trusted = yes
    idmap config * : backend = ldap:ldap://kram.vanguard.mydomain.org
    map acl inherit = Yes

[ALLSTUDENTS]
    path = /home/ALLSTUDENTS
    admin users = "@VANGUARD\domain admins"
    read only = No
    create mask = 0700
    directory mask = 0700
    delete readonly = Yes

I appreciate you help.

John

On 20/04/15 17:45, john wrote:
>
>
>
>     Is this wheezy ? if so, it might be an idea to use backports, this
>     will get you 4.1.17 which is still in development, 3.6 is now EOL
>
OK, I understand a bit better where your problems lie. I would still use 
backports, supported code is (hopefully) better code :-)
>
>
> I'd be willing to do that if it got me support for UPN names (see
below)
>
>
>         I installed NSLCD to allow users in AD to authenticate against
>         my linux
>         server per
>        
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>
>
>     Why use nlscd ? why not use winbind, see:
>     https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
>
> My impression from this thread 
> https://lists.samba.org/archive/samba/2014-May/181372.html
>
>  is that Winbind doesn't support UPN names. This was my lame-brain 
> attempt to "work around" that issue.
I use winbind and using the UPN seems to work for smbclient:

smbclient \\\\xp.example.com\\shared -Urowland at example.com
Enter rowland at example.com's password:
Domain=[EXAMPLE] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
smb: \>

Is this the way you mean ?

Rowland
>
>         getent passwd and getent group returns domain users with UID
>         mappings like:
>
>         tempuser at vanguard.mydomain.org:*:16043:16043:temp
>         user:/home/VANGUARD/tempuser:/bin/bash
>
>
>     Well, that's wrong for a start, you seem to be getting the users
>     principal name, it should look like:
>
>  I need to support UPN names for my scheme to work.
>
>
>
>         Those same users can log into the linux box with their domain
>         credentials
>         via ssh and create files owned by them
>
>         However I can't figure out how to configure Samba to allow
>         these same users
>         to access a samba file share via a windows 7 client. I thought
>         that Samba
>         would check /etc/nsswitch.conf like other services and use
>         ldap just like
>         ssh would.
>
>
>     No, this is down to whatever you are using for authentication. Can
>     you post your smb.conf ?
>
>
>
>
> Here is my non-working smb.conf file for reference.
>
> Thanks for your help.
>
> John
>
> [global]
>     workgroup = VANGUARD
>     server string = sserve
>     passdb backend = ldapsam:ldap://kram.vanguard.mydomain.org 
> <http://kram.vanguard.mydomain.org>
>     username map = /etc/samba/smbusers
>     syslog = 0
>     log file = /var/log/samba/%m
>     smb ports = 139 445
>     socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>     name cache timeout = 3600
>     max stat cache size = 16384
>     domain logons = Yes
>     preferred master = Auto
>     domain master = No
>     wins support = Yes
>     ldap idmap suffix = ou=Idmap
>     idmap config * : range = 10000-200000
>     ldapsam:trusted = yes
>     idmap config * : backend = ldap:ldap://kram.vanguard.mydomain.org 
> <http://kram.vanguard.mydomain.org>
>     map acl inherit = Yes
>
> [ALLSTUDENTS]
>     path = /home/ALLSTUDENTS
>     admin users = "@VANGUARD\domain admins"
>     read only = No
>     create mask = 0700
>     directory mask = 0700
>     delete readonly = Yes
>

Hi Rowland,

On Mon, Apr 20, 2015 at 10:29 AM, Rowland Penny <rowlandpenny at
googlemail.com
> wrote:
> OK, I understand a bit better where your problems lie. I would still use
> backports, supported code is (hopefully) better code :-)
>
I am certainly willing to do that.

>
>
>>
>> I'd be willing to do that if it got me support for UPN names (see
below)
>>
>>
>>         I installed NSLCD to allow users in AD to authenticate against
>>         my linux
>>         server per
>>
>>
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
>>
>>
>>     Why use nlscd ? why not use winbind, see:
>>     https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>>
>> My impression from this thread
>> https://lists.samba.org/archive/samba/2014-May/181372.html
>>
>>  is that Winbind doesn't support UPN names. This was my lame-brain
>> attempt to "work around" that issue.
>>
>
> I use winbind and using the UPN seems to work for smbclient:
>
> smbclient \\\\xp.example.com\\shared -Urowland at example.com
> Enter rowland at example.com's password:
> Domain=[EXAMPLE] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
> smb: \>
>
> Is this the way you mean ?
>
>
Well that appears to be what I want, but that doesn't work in my case. Can
I see the smb.conf file? As I mentioned my PDC is a Windows box and this
Samba server is a member server.  I am trying to keep this as simple as
possible.

Since I am able to see UID/GID information via the method outlined on the
Samba wiki
https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd#Method_1:_Connecting_to_AD_via_Bind_DN_and_password

it seems like the missing part is getting winbind to use that information.
Can you guide me on the proper approach?

Thanks!

John