On Sat, 10 Oct 2015 16:07 Andrew Bartlett wrote> For the pain that you are about to endure, I can only offer my apologies.Apologies accepted! :) Seriously though, the Samba team has done a great job with the AD stuff. I was pretty much able to drop Samba4 in as a replacement for our SBS 2008 with virtually no issues. What issues I had were mostly Microsoft idiosyncracies (refer to my GPO rant to Rowland). I used the Slackware as-shipped Samba4, provisioned (with BIND9_FLATFILE), added users with RSAT ADUC and Win7 domain users were none the wiser, everything just worked: redirected folders, RDC, SLQ Server "Windows Authentication", etc. Good job! My quest to replace Micrsoft continues ... For my immediate need, I'd like someone to give me the proverial "fish" and I'll "learn to fish" later. Given that my AD domain users are group 100, and the AD users UID range is 3000000-3000099, what should my idmap config settings look like in the wiki-adapted 'member server' smb.conf shown below? Just tell me the right answer, I'll figure out why later. [global] netbios name = uCommon workgroup = HPRS security = ADS realm = HPRS.LOCAL dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = ???-??? idmap config HPRS:backend = ad idmap config HPRS:schema_mode = rfc2307 idmap config HPRS:range = ???-??? winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes [demoshare] path = /srv/samba/test read only = no Thanks, --Mark -----Original Message-----> From: Andrew Bartlett <abartlet at samba.org> > To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org > Date: Sat, 10 Oct 2015 16:07:22 +1300 > Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On > > On Fri, 2015-10-09 at 21:08 -0400, Mark Foley wrote: > > Thanks again for your quick reply ... > > > Frankly, even after reading the > > https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html wiki, I > > don't > > really get the differentiation between 'idmap config *' and 'idmap > > config DOMAIN' > > > > Do I have to have something similar on the AD/DC? Right now, there > > are no idmap > > statements in that smb.conf. > > > > Thanks for your time (and patience), --Mark > > For the pain that you are about to endure, I can only offer my > apologies. As Rowland and others on the list will quickly point out, > this is an area that is far from satisfactory. All the solutions are a > compromise of one kind or another, from the nature of compressing a 128 > -bit (or more) SID value into a 32 bit UID or GID value. > > Almost every new Samba team member starts with a desire to finally > implement the 'perfect' solution here, but the result of that desire > colliding with reality has ended up with a despairing 'let the admin > specify what they want'. > > One way of doing that is to manually fill in the uidNumber and > gidNumber values, and then tell the client and server to use that. > Samba has trouble doing that in a race-free way, and so far declines to > be as helpful it could be. > > Sorry, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 10/10/15 08:26, Mark Foley wrote:> On Sat, 10 Oct 2015 16:07 Andrew Bartlett wrote > >> For the pain that you are about to endure, I can only offer my apologies. > Apologies accepted! :) Seriously though, the Samba team has done a great job > with the AD stuff. I was pretty much able to drop Samba4 in as a replacement > for our SBS 2008 with virtually no issues. What issues I had were mostly > Microsoft idiosyncracies (refer to my GPO rant to Rowland). I used the > Slackware as-shipped Samba4, provisioned (with BIND9_FLATFILE), added users > with RSAT ADUC and Win7 domain users were none the wiser, everything just > worked: redirected folders, RDC, SLQ Server "Windows Authentication", etc. Good > job! > > My quest to replace Micrsoft continues ... > > For my immediate need, I'd like someone to give me the proverial "fish" and I'll > "learn to fish" later. Given that my AD domain users are group 100, and the AD > users UID range is 3000000-3000099, what should my idmap config settings look > like in the wiki-adapted 'member server' smb.conf shown below? Just tell me the > right answer, I'll figure out why later. > > [global] > netbios name = uCommon > workgroup = HPRS > security = ADS > realm = HPRS.LOCAL > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = ???-??? > idmap config HPRS:backend = ad > idmap config HPRS:schema_mode = rfc2307 > idmap config HPRS:range = ???-???OK, lets see if I can explain this: 'idmap *' is where all the AD well-known SIDs are mapped (see https://support.microsoft.com/en-us/kb/243330), these are pretty much the same as Unix system users & groups 'idmap config HPRS' is where your users & groups are mapped, how they are mapped is up to the sysadmin i.e. you. You can use winbind with either the 'ad' or 'rid' backend, or you can use sssd or nlscd. The problem comes from using the 'rid' backend is that you will definitely get different numbers on a member server (or client, workstation, call it what you will) to the DC, now this shouldn't really be a problem if you only use the Samba DC for authentication. Now we come to the numbers used on the DC, for some reason, the Samba devs decided to use numbers starting at 3000000, but then decided to give 'Domain Users' the number 100 (this is Unix users group gid), this was in my opinion a *bad* idea. I now hear you asking why? Well the two ranges ('idmap config *' & 'idmap config HPRS') have to be separate ranges that do not overlap, but there is also another range that doesn't appear in smb.conf, this is the local users & groups that start at 0 and your idmap ranges must not overlap this range as well and how do you do this when 'Domain Users' has the gid of 100???? The scheme I use is simple, everything below 2000 is a local user, 2000-9999 is for the well-known SIDs and 10000 up is for AD users & groups. Depending on which Unix distro you use, system users & groups will either end at 499 or 999, so at the the least, my scheme gives the possibility of a 1000 local users and as you actually don't need *any* local users, should be sufficient. There are also only approx 100 well-known SIDs, so the next range is more than sufficient and as for the last range, if you run out, you just raised the last number. It is no use giving every user a unique uidNumber, unless you also give 'Domain Users' a gidNumber, winbind will not work until you do. Also what ever numbers you use, they must all be inside whatever range you set in 'idmap config HPRS', anything outside the range is ignored i.e. if the range is 10000-99999 and a user has the uidNumber of 1000 it will be ignored as an AD user, but here is the one that gets most people, if you give 'Domain Users' the gidNumber of 100 (as on the DC), it will be ignored and if 'Domain Users' is ignored, all other users and groups will be ignored! All of the above only has reference to a 'member server', idmap works differently on an AD DC (i.e. as I said, Domain Users gets set to 100 even though it probably shouldn't) HTH Rowland> > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > [demoshare] > path = /srv/samba/test > read only = no > > > Thanks, --Mark > > -----Original Message----- >> From: Andrew Bartlett <abartlet at samba.org> >> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org >> Date: Sat, 10 Oct 2015 16:07:22 +1300 >> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On >> >> On Fri, 2015-10-09 at 21:08 -0400, Mark Foley wrote: >>> Thanks again for your quick reply ... >>> Frankly, even after reading the >>> https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html wiki, I >>> don't >>> really get the differentiation between 'idmap config *' and 'idmap >>> config DOMAIN' >>> >>> Do I have to have something similar on the AD/DC? Right now, there >>> are no idmap >>> statements in that smb.conf. >>> >>> Thanks for your time (and patience), --Mark >>
On Sat, 10 Oct 2015 10:18 Rowland Penny wrote> ... the two ranges ('idmap config *' & 'idmap config HPRS') have to be separate > ranges that do not overlap, but there is also another range that doesn't appear > in smb.conf, this is the local users & groups that start at 0 and your idmap > ranges must not overlap this range as well and how do you do this when 'Domain > Users' has the gid of 100????So, having AD users in GID 100 is a problem - I'll have overlap.> It is no use giving every user a unique uidNumber, unless you also give 'Domain > Users' a gidNumber, winbind will not work until you do. Also what ever numbers > you use, they must all be inside whatever range you set in 'idmap config HPRS', > anything outside the range is ignored ... here is the one that gets most > people, if you give 'Domain Users' the gidNumber of 100 (as on the DC), it will > be ignored and if 'Domain Users' is ignored, all other users and groups will be > ignored!Therefore, I will change the GID for AD users to 10000. While I'm at it, I'll change the AD users UID range to 10000-99999. So, my idmap configs will look basically like the wiki example: idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config HPRS:backend = ad idmap config HPRS:schema_mode = rfc2307 idmap config HPRS:range = 10000-99999 It's not a big deal to change the file ownerships on the AD/DC, but I also need to change Samba to use these new IDs so that when folders are created in /redirectedFolders (while still using Windows) the are created with the correct GID and UID. I suppose that means wbinfo will have to return, e.g.: $ wbinfo -i mark HPRS\mark:*:10026:10000:Mark Foley:/home/HPRS/mark:/bin/false instead of 3000026:100. Furthermore, new users created with RSAT ADUAC will have to be created with group 10000 and UIDs 100xx. How do I do that? --Mark -----Original Message-----> Date: Sat, 10 Oct 2015 10:18:14 +0100 > From: Rowland Penny <rowlandpenny241155 at gmail.com> > To: samba at lists.samba.org > Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On > > On 10/10/15 08:26, Mark Foley wrote: > > On Sat, 10 Oct 2015 16:07 Andrew Bartlett wrote > > > >> For the pain that you are about to endure, I can only offer my apologies. > > Apologies accepted! :) Seriously though, the Samba team has done a great job > > with the AD stuff. I was pretty much able to drop Samba4 in as a replacement > > for our SBS 2008 with virtually no issues. What issues I had were mostly > > Microsoft idiosyncracies (refer to my GPO rant to Rowland). I used the > > Slackware as-shipped Samba4, provisioned (with BIND9_FLATFILE), added users > > with RSAT ADUC and Win7 domain users were none the wiser, everything just > > worked: redirected folders, RDC, SLQ Server "Windows Authentication", etc. Good > > job! > > > > My quest to replace Micrsoft continues ... > > > > For my immediate need, I'd like someone to give me the proverial "fish" and I'll > > "learn to fish" later. Given that my AD domain users are group 100, and the AD > > users UID range is 3000000-3000099, what should my idmap config settings look > > like in the wiki-adapted 'member server' smb.conf shown below? Just tell me the > > right answer, I'll figure out why later. > > > > [global] > > netbios name = uCommon > > workgroup = HPRS > > security = ADS > > realm = HPRS.LOCAL > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > > > idmap config *:backend = tdb > > idmap config *:range = ???-??? > > idmap config HPRS:backend = ad > > idmap config HPRS:schema_mode = rfc2307 > > idmap config HPRS:range = ???-??? > > OK, lets see if I can explain this: > > 'idmap *' is where all the AD well-known SIDs are mapped (see > https://support.microsoft.com/en-us/kb/243330), these are pretty much > the same as Unix system users & groups > > 'idmap config HPRS' is where your users & groups are mapped, how they > are mapped is up to the sysadmin i.e. you. > You can use winbind with either the 'ad' or 'rid' backend, or you can > use sssd or nlscd. > > The problem comes from using the 'rid' backend is that you will > definitely get different numbers on a member server (or client, > workstation, call it what you will) to the DC, now this shouldn't really > be a problem if you only use the Samba DC for authentication. > > Now we come to the numbers used on the DC, for some reason, the Samba > devs decided to use numbers starting at 3000000, but then decided to > give 'Domain Users' the number 100 (this is Unix users group gid), this > was in my opinion a *bad* idea. I now hear you asking why? Well the two > ranges ('idmap config *' & 'idmap config HPRS') have to be separate > ranges that do not overlap, but there is also another range that doesn't > appear in smb.conf, this is the local users & groups that start at 0 and > your idmap ranges must not overlap this range as well and how do you do > this when 'Domain Users' has the gid of 100???? > The scheme I use is simple, everything below 2000 is a local user, > 2000-9999 is for the well-known SIDs and 10000 up is for AD users & > groups. Depending on which Unix distro you use, system users & groups > will either end at 499 or 999, so at the the least, my scheme gives the > possibility of a 1000 local users and as you actually don't need *any* > local users, should be sufficient. There are also only approx 100 > well-known SIDs, so the next range is more than sufficient and as for > the last range, if you run out, you just raised the last number. > > It is no use giving every user a unique uidNumber, unless you also give > 'Domain Users' a gidNumber, winbind will not work until you do. Also > what ever numbers you use, they must all be inside whatever range you > set in 'idmap config HPRS', anything outside the range is ignored i.e. > if the range is 10000-99999 and a user has the uidNumber of 1000 it will > be ignored as an AD user, but here is the one that gets most people, if > you give 'Domain Users' the gidNumber of 100 (as on the DC), it will be > ignored and if 'Domain Users' is ignored, all other users and groups > will be ignored! > > All of the above only has reference to a 'member server', idmap works > differently on an AD DC (i.e. as I said, Domain Users gets set to 100 > even though it probably shouldn't) > > HTH > > Rowland > > > > > winbind nss info = rfc2307 > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = Yes > > > > [demoshare] > > path = /srv/samba/test > > read only = no > > > > > > Thanks, --Mark > > > > -----Original Message----- > >> From: Andrew Bartlett <abartlet at samba.org> > >> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org > >> Date: Sat, 10 Oct 2015 16:07:22 +1300 > >> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On > >> > >> On Fri, 2015-10-09 at 21:08 -0400, Mark Foley wrote: > >>> Thanks again for your quick reply ... > >>> Frankly, even after reading the > >>> https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html wiki, I > >>> don't > >>> really get the differentiation between 'idmap config *' and 'idmap > >>> config DOMAIN' > >>> > >>> Do I have to have something similar on the AD/DC? Right now, there > >>> are no idmap > >>> statements in that smb.conf. > >>> > >>> Thanks for your time (and patience), --Mark > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >