samba - Apr 2015 - NSLCD works, do I need RFC2307 extensions enabled in AD as well?

Thank you Rowland, so it looks like kerberos should be my
authentication method and that I'll need to install rfc2307 extensions
in my Active Directory environment in order to use your approach. Your
approach supports UPN names for access to shares and It also appears
that I won't need to use nslcd at all. Does all of that sound correct
to you?

Thanks again!

John

On Mon, Apr 20, 2015 at 1:17 PM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:

>> it seems like the missing part is getting winbind to use that
information.
>> Can you guide me on the proper approach?
>>
>> Thanks!
>>
>> John
>
>
> OK, have a look here:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> That is basically my smb.conf (and when I say 'my' I really mean
that is 'my' smb.conf)
>
> Rowland

On 20/04/15 21:50, john wrote:
> Thank you Rowland, so it looks like kerberos should be my
> authentication method and that I'll need to install rfc2307 extensions
> in my Active Directory environment in order to use your approach. Your
> approach supports UPN names for access to shares and It also appears
> that I won't need to use nslcd at all. Does all of that sound correct
> to you?
>
> Thanks again!
>
> John
>
> On Mon, Apr 20, 2015 at 1:17 PM, Rowland Penny
> <rowlandpenny at googlemail.com> wrote:
>
>
>>> it seems like the missing part is getting winbind to use that
information.
>>> Can you guide me on the proper approach?
>>>
>>> Thanks!
>>>
>>> John
>>
>> OK, have a look here:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> That is basically my smb.conf (and when I say 'my' I really
mean that is 'my' smb.conf)
>>
>> Rowland
I can only say that it works as I suggested against a samba AD DC (and I 
tried it both ways) and I don't use anything other than samba for 
authentication.

I would suggest you try it on a test set up in a VM and if it works, go 
to production.

Rowland

On 04/20/2015 02:01 PM, Rowland Penny wrote:
>
> I would suggest you try it on a test set up in a VM and if it works, go
> to production.
>
> Rowland
>
Hi Rowland,

Ok, I think I am pretty close. Still using Samba 3.3.6 since I couldn't 
seem to get Samba 4 to work from backports.

My sticking point right now is that winbind is mapping the wrong UID to 
my test user. I've setup the NIS domain in AD to correspond to my 
smb.conf file and I've *think* i've correctly specified that UIDs should
start at 10000, however when I id a domain user, the mapping starts at 
2000. I assume this means that winbind thinks that the user doesn't 
exist in the domain. Wbinfo -u and wbinfo -g work as expected


  wbinfo -n flyboy
S-1-5-21-3235454718-1405393322-4146969828-4087 SID_USER (1)

root at debian-tester:~# id flyboy
uid=2000(DEBIAN-TESTER\nobody) gid=2006(domain_users) 
groups=2001(DEBIAN-TESTER\none),2006(domain_users),2007(student_terminal_server),2008(all_students_users),2009(mcm_students),2010(students),2011(chromebooks),2012(2020)


root at debian-tester:~# getent passwd flyboy
flyboy:*:2000:2006:flyboy:/home/flyboy:/bin/sh

getent group "domain users"
domain_users:x:2006:gcallison

Here's my smb.conf file

[global]


    workgroup = VANGUARD
    security = ADS
    realm = VANGUARD.MYDOMAIN.ORG
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config VANGUARD:backend = ad
    idmap config VANGUARD:schema_mode = rfc2307
    idmap config VANGUARD:range = 10000-99999

    log level = 1 idmap:10
    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
    winbind refresh tickets = Yes
    winbind expand groups = 4
    winbind normalize names = Yes
    domain master = no
    local master = no
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
[ALLSTUDENTS]

  path = /home/ALLSTUDENTS
      # valid users = %S
       readonly = no
       writable = yes
       printable = no
       create mode = 0700
       directory mode = 0700

I turned up the logs for idmap, here's what I see:

log.winbindd-idmap:  idmap range not specified for domain DEBIAN-TESTER
log.winbindd-idmap:  gid [0] not mapped
log.winbindd-idmap:  idmap backend ad not found
log.winbindd-idmap:  gid [65534] not mapped
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-501 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-513 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-546 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-501 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-513 not found
log.winbindd-idmap:  Record 
S-1-5-21-2072017671-3909937455-2446232893-546 not found
log.winbindd-idmap:  uid [0] not mapped


Thanks for all of your help!

John