john
2015-Apr-20 20:50 UTC
[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?
Thank you Rowland, so it looks like kerberos should be my authentication method and that I'll need to install rfc2307 extensions in my Active Directory environment in order to use your approach. Your approach supports UPN names for access to shares and It also appears that I won't need to use nslcd at all. Does all of that sound correct to you? Thanks again! John On Mon, Apr 20, 2015 at 1:17 PM, Rowland Penny <rowlandpenny at googlemail.com> wrote:>> it seems like the missing part is getting winbind to use that information. >> Can you guide me on the proper approach? >> >> Thanks! >> >> John > > > OK, have a look here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > That is basically my smb.conf (and when I say 'my' I really mean that is 'my' smb.conf) > > Rowland
Rowland Penny
2015-Apr-20 21:01 UTC
[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?
On 20/04/15 21:50, john wrote:> Thank you Rowland, so it looks like kerberos should be my > authentication method and that I'll need to install rfc2307 extensions > in my Active Directory environment in order to use your approach. Your > approach supports UPN names for access to shares and It also appears > that I won't need to use nslcd at all. Does all of that sound correct > to you? > > Thanks again! > > John > > On Mon, Apr 20, 2015 at 1:17 PM, Rowland Penny > <rowlandpenny at googlemail.com> wrote: > > >>> it seems like the missing part is getting winbind to use that information. >>> Can you guide me on the proper approach? >>> >>> Thanks! >>> >>> John >> >> OK, have a look here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> >> That is basically my smb.conf (and when I say 'my' I really mean that is 'my' smb.conf) >> >> RowlandI can only say that it works as I suggested against a samba AD DC (and I tried it both ways) and I don't use anything other than samba for authentication. I would suggest you try it on a test set up in a VM and if it works, go to production. Rowland
john_s
2015-Apr-21 18:53 UTC
[Samba] NSLCD works, do I need RFC2307 extensions enabled in AD as well?
On 04/20/2015 02:01 PM, Rowland Penny wrote:> > I would suggest you try it on a test set up in a VM and if it works, go > to production. > > Rowland >Hi Rowland, Ok, I think I am pretty close. Still using Samba 3.3.6 since I couldn't seem to get Samba 4 to work from backports. My sticking point right now is that winbind is mapping the wrong UID to my test user. I've setup the NIS domain in AD to correspond to my smb.conf file and I've *think* i've correctly specified that UIDs should start at 10000, however when I id a domain user, the mapping starts at 2000. I assume this means that winbind thinks that the user doesn't exist in the domain. Wbinfo -u and wbinfo -g work as expected wbinfo -n flyboy S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1) root at debian-tester:~# id flyboy uid=2000(DEBIAN-TESTER\nobody) gid=2006(domain_users) groups=2001(DEBIAN-TESTER\none),2006(domain_users),2007(student_terminal_server),2008(all_students_users),2009(mcm_students),2010(students),2011(chromebooks),2012(2020) root at debian-tester:~# getent passwd flyboy flyboy:*:2000:2006:flyboy:/home/flyboy:/bin/sh getent group "domain users" domain_users:x:2006:gcallison Here's my smb.conf file [global] workgroup = VANGUARD security = ADS realm = VANGUARD.MYDOMAIN.ORG dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config VANGUARD:backend = ad idmap config VANGUARD:schema_mode = rfc2307 idmap config VANGUARD:range = 10000-99999 log level = 1 idmap:10 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes winbind expand groups = 4 winbind normalize names = Yes domain master = no local master = no vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes [ALLSTUDENTS] path = /home/ALLSTUDENTS # valid users = %S readonly = no writable = yes printable = no create mode = 0700 directory mode = 0700 I turned up the logs for idmap, here's what I see: log.winbindd-idmap: idmap range not specified for domain DEBIAN-TESTER log.winbindd-idmap: gid [0] not mapped log.winbindd-idmap: idmap backend ad not found log.winbindd-idmap: gid [65534] not mapped log.winbindd-idmap: Record S-1-5-21-2072017671-3909937455-2446232893-501 not found log.winbindd-idmap: Record S-1-5-21-2072017671-3909937455-2446232893-513 not found log.winbindd-idmap: Record S-1-5-21-2072017671-3909937455-2446232893-546 not found log.winbindd-idmap: Record S-1-5-21-2072017671-3909937455-2446232893-501 not found log.winbindd-idmap: Record S-1-5-21-2072017671-3909937455-2446232893-513 not found log.winbindd-idmap: Record S-1-5-21-2072017671-3909937455-2446232893-546 not found log.winbindd-idmap: uid [0] not mapped Thanks for all of your help! John
Possibly Parallel Threads
- NSLCD works, do I need RFC2307 extensions enabled in AD as well?
- NSLCD works, do I need RFC2307 extensions enabled in AD as well?
- NSLCD works, do I need RFC2307 extensions enabled in AD as well?
- NSLCD works, do I need RFC2307 extensions enabled in AD as well?
- NSLCD works, do I need RFC2307 extensions enabled in AD as well?