Rowland Penny
2018-Jun-27 06:48 UTC
[Samba] How to Join Mac OSX workstation as AD domain member
On Wed, 27 Jun 2018 02:09:24 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> I think I have my Mac AD mappings wrong. The following link > https://support.apple.com/kb/PH26272?viewlocale=en_ME&locale=en_ME, > says: > > > On a computer that's configured to use Directory Utility's Active > > Directory connector, you can specify an Active Directory attribute > > to map to the group ID (GID), primary group ID (GID), and unique > > user ID (UID) attribute in macOS. > > > > Usually, the Active Directory schema must be extended to include an > > attribute that's suitable for mapping to the GID, primary GID, and > > UID: > > > > If the Active Directory administrator extends the Active Directory > > schema by installing Microsoft's Services for UNIX, you can map the > > following: > > > > GID to the msSFU-30-Gid-Number attribute > > Primary GID to the msSFU-30-Gid-Number attribute > > UID to the msSFU-30-Uid-Number attributeI think there is a clue there 'Microsoft's Services for UNIX', it used to be called that, but latterly it was called 'IDMU' or 'Identity Management for UNIX' and a lot of the 'msSFU-30' prefixes got dropped.> > I've looked in sam.ldb and the only msgSFU object categories I find > are msSFU-30-NIS-Map-Config and msSFU-30-Domain-Info. What are > msSFU-30-Gid-Number and UID to the msSFU-30-Uid-Number? Should I be > using these?You probably already are, 'msSFU-30-Gid-Number' became 'gidNumber'> > What are GID, primary GID and UID in this case? My 'Domain Users' GID > is 10000. How does that correlate? Why would I specifically map a > UID? Would not the AD server sort that out when I log in as a domain > user? > > > If the Active Directory administrator manually extends the Active > > Directory schema to include RFC 2307 attributes, you can map the > > following: > > > > GID to the gidNumber attribute > > Primary GID to the gidNumber attribute > > UID to the uidNumber attribute > > I do have 'idmap_ldb:use rfc2307 = yes' defined in the AD server > smb.conf, but I'm still at a loss as to understanding what they are > talking about with GID, Primary GID and UID. > > > If the Active Directory administrator manually extends the Active > > Directory schema to include the macOS gidNumber, PrimaryGroupID, > > and UniqueID attributes, you can map the following: > > > > GID to the gidNumber attribute > > Primary GID to the PrimaryGroupID attribute > > UID to the UniqueID attribute > > Not comprehending this mac-speak. Does anyone know what this is? > > > If mapping of the GID, primary GID, and UID is disabled, the Active > > Directory connector generates a GID, primary GID, and UID based on > > Active Directory's standard GUID attribute. > > So, if I *don't* do any mapping (disabled) what happens?Sounds like you end up using something very similar to the winbind 'rid' backend.> > > Important: With the advanced options of the Active Directory > > connector, you can map the macOS unique user ID (UID), primary > > group ID (GID), and group GID attributes to the correct attributes > > in the Active Directory schema. However, if you change these > > settings later, users might lose access to previously created files. > > Has anyone done any of this and perhaps understands what they're > talking about? >I have never done this (no apple clients) but if it works with one version of apple OS but not a later version, surely this means something changed in the apple OS and not in Samba. Perhaps you should ask Apple just what they changed, if anything. In the meantime, Samba has vfs_fruit, see 'man vfs_fruit' for more info. Rowland
Ralph Böhme
2018-Jun-27 08:29 UTC
[Samba] How to Join Mac OSX workstation as AD domain member
On Wed, Jun 27, 2018 at 07:48:50AM +0100, Rowland Penny via samba wrote:> > > If mapping of the GID, primary GID, and UID is disabled, the Active > > > Directory connector generates a GID, primary GID, and UID based on > > > Active Directory's standard GUID attribute. > > > > So, if I *don't* do any mapping (disabled) what happens? > > Sounds like you end up using something very similar to the winbind > 'rid' backend.they're default mapping strategy uses 4 bytes of the ObjectGUID of the users and groups objects. -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG Key Fingerprint: FAE2 C608 8A24 2520 51C5 59E4 AA1E 9B71 2639 9E46
Rowland Penny
2018-Jun-27 08:39 UTC
[Samba] How to Join Mac OSX workstation as AD domain member
On Wed, 27 Jun 2018 10:29:16 +0200 Ralph Böhme <slow at samba.org> wrote:> On Wed, Jun 27, 2018 at 07:48:50AM +0100, Rowland Penny via samba > wrote: > > > > If mapping of the GID, primary GID, and UID is disabled, the > > > > Active Directory connector generates a GID, primary GID, and > > > > UID based on Active Directory's standard GUID attribute. > > > > > > So, if I *don't* do any mapping (disabled) what happens? > > > > Sounds like you end up using something very similar to the winbind > > 'rid' backend. > > they're default mapping strategy uses 4 bytes of the ObjectGUID of > the users and groups objects. > > -slow >Hi Ralph, Any particular 4 bytes ? As in, at the start, middle or end of the ObjectGUID and with this, is it possible to get non-unique ID's ? Rowland
Mark Foley
2018-Jun-27 17:58 UTC
[Samba] How to Join Mac OSX workstation as AD domain member
Well, I've made some progress. Excuse the detail, but this might help others as I've so far found NOTHING on this, including with the Mac Enterprise maillist (so far). If I unchecked all the Directory Utility mapping options, I was able to log in! Yeah! But, the UID.GID numbers were 1793602029.1840809715. Next I tried just setting the "Map group GID to attribute" to 10000 (my 'Domain Users' group). That did nothing to change the GID, but I could still log on. Leaving the above setting in place, I next I tried setting "Map user GID to attribute" to 10000. That gave me UID.GIDs of 1793602029.20. Strange. Next I tried setting "Map user GID to attribute" to the string "gidNumber". That worked and my UID.GIDs were now 1793602029.10000. Next I tried setting "Map UID to attribute" to 10001 (my domain UID). I couldn't log on at all as the domain user. Next I tried setting "Map UID to Attribute" to the string "uidNumber". That worked and my UID.GIDs were then 10001.10000. At this point, I do have correct domain user UID and GID. Upon login the Mac creates folders in the home directory: $ ls -ln total 0 drwx------+ 3 10001 10000 102 Jun 27 13:16 Desktop drwx------+ 3 10001 10000 102 Jun 27 13:16 Documents drwx------+ 3 10001 10000 102 Jun 27 13:16 Downloads drwx------@ 46 10001 10000 1564 Jun 27 13:26 Library drwx------+ 3 10001 10000 102 Jun 27 13:16 Movies drwx------+ 3 10001 10000 102 Jun 27 13:16 Music drwx------+ 3 10001 10000 102 Jun 27 13:16 Pictures drwxr-xr-x+ 4 10001 10000 136 Jun 27 13:16 Public These folders are empty and NOT connected to the redirected desktop. I'm guessing the Mac AD setup doesn't bother much with Group Policies. Not necessarily a big deal as the Linux domain members also do not auto-map to the redirected folders on the DC. However, Linux does create the home folder as specified in sam.ldb and does designate that as $HOME which Mac is not doing. So, some questions: If I were either to change this user's unixHomeDirectory (sam.ldb) from /home/HPRS/mark to /Users/mark, would that make a difference? I supposed I could also try creating the /home/HPRS directory on the Mac and see if a login plops me there. On Linux, I've used NFS export on the DC and autofs on the domain member to mount the user's redirected folders. I could try the same thing on Mac. Rowland has mentioned vfs_fruit, which I've done some reading on. Is vfs_fruit the recommended way of doing remote mounts on Mac? I have done basic smb mounts from mac using CMD-K > sbm:\\host\share. Suggestions on this? Meanwhile, I'll do more experimentation. THX --Mark On Wed, 27 Jun 2018 07:48:50 +0100 Rowland Penny <rpenny at samba.org> wrote:> > On Wed, 27 Jun 2018 02:09:24 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > I think I have my Mac AD mappings wrong. The following link > > https://support.apple.com/kb/PH26272?viewlocale=en_ME&locale=en_ME, > > says: > > > > > On a computer that's configured to use Directory Utility's Active > > > Directory connector, you can specify an Active Directory attribute > > > to map to the group ID (GID), primary group ID (GID), and unique > > > user ID (UID) attribute in macOS. > > > > > > Usually, the Active Directory schema must be extended to include an > > > attribute that's suitable for mapping to the GID, primary GID, and > > > UID: > > > > > > If the Active Directory administrator extends the Active Directory > > > schema by installing Microsoft's Services for UNIX, you can map the > > > following: > > > > > > GID to the msSFU-30-Gid-Number attribute > > > Primary GID to the msSFU-30-Gid-Number attribute > > > UID to the msSFU-30-Uid-Number attribute > > I think there is a clue there 'Microsoft's Services for UNIX', it used > to be called that, but latterly it was called 'IDMU' or 'Identity > Management for UNIX' and a lot of the 'msSFU-30' prefixes got dropped. > > > > > I've looked in sam.ldb and the only msgSFU object categories I find > > are msSFU-30-NIS-Map-Config and msSFU-30-Domain-Info. What are > > msSFU-30-Gid-Number and UID to the msSFU-30-Uid-Number? Should I be > > using these? > > You probably already are, 'msSFU-30-Gid-Number' became 'gidNumber' > > > > > What are GID, primary GID and UID in this case? My 'Domain Users' GID > > is 10000. How does that correlate? Why would I specifically map a > > UID? Would not the AD server sort that out when I log in as a domain > > user? > > > > > If the Active Directory administrator manually extends the Active > > > Directory schema to include RFC 2307 attributes, you can map the > > > following: > > > > > > GID to the gidNumber attribute > > > Primary GID to the gidNumber attribute > > > UID to the uidNumber attribute > > > > I do have 'idmap_ldb:use rfc2307 = yes' defined in the AD server > > smb.conf, but I'm still at a loss as to understanding what they are > > talking about with GID, Primary GID and UID. > > > > > If the Active Directory administrator manually extends the Active > > > Directory schema to include the macOS gidNumber, PrimaryGroupID, > > > and UniqueID attributes, you can map the following: > > > > > > GID to the gidNumber attribute > > > Primary GID to the PrimaryGroupID attribute > > > UID to the UniqueID attribute > > > > Not comprehending this mac-speak. Does anyone know what this is? > > > > > If mapping of the GID, primary GID, and UID is disabled, the Active > > > Directory connector generates a GID, primary GID, and UID based on > > > Active Directory's standard GUID attribute. > > > > So, if I *don't* do any mapping (disabled) what happens? > > Sounds like you end up using something very similar to the winbind > 'rid' backend. > > > > > > Important: With the advanced options of the Active Directory > > > connector, you can map the macOS unique user ID (UID), primary > > > group ID (GID), and group GID attributes to the correct attributes > > > in the Active Directory schema. However, if you change these > > > settings later, users might lose access to previously created files. > > > > Has anyone done any of this and perhaps understands what they're > > talking about? > > > > I have never done this (no apple clients) but if it works with one > version of apple OS but not a later version, surely this means > something changed in the apple OS and not in Samba. Perhaps you should > ask Apple just what they changed, if anything. > In the meantime, Samba has vfs_fruit, see 'man vfs_fruit' for more info. > > Rowland >
Rowland Penny
2018-Jun-27 18:31 UTC
[Samba] How to Join Mac OSX workstation as AD domain member
On Wed, 27 Jun 2018 13:58:46 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> Well, I've made some progress. Excuse the detail, but this might help > others as I've so far found NOTHING on this, including with the Mac > Enterprise maillist (so far). > > If I unchecked all the Directory Utility mapping options, I was able > to log in! Yeah! But, the UID.GID numbers were 1793602029.1840809715. > > Next I tried just setting the "Map group GID to attribute" to 10000 > (my 'Domain Users' group). That did nothing to change the GID, but I > could still log on. > > Leaving the above setting in place, I next I tried setting "Map user > GID to attribute" to 10000. That gave me UID.GIDs of 1793602029.20. > Strange. > > Next I tried setting "Map user GID to attribute" to the string > "gidNumber". That worked and my UID.GIDs were now 1793602029.10000. > > Next I tried setting "Map UID to attribute" to 10001 (my domain > UID). I couldn't log on at all as the domain user. > > Next I tried setting "Map UID to Attribute" to the string > "uidNumber". That worked and my UID.GIDs were then 10001.10000. > > At this point, I do have correct domain user UID and GID. Upon login > the Mac creates folders in the home directory: > > $ ls -ln > total 0 > drwx------+ 3 10001 10000 102 Jun 27 13:16 Desktop > drwx------+ 3 10001 10000 102 Jun 27 13:16 Documents > drwx------+ 3 10001 10000 102 Jun 27 13:16 Downloads > drwx------@ 46 10001 10000 1564 Jun 27 13:26 Library > drwx------+ 3 10001 10000 102 Jun 27 13:16 Movies > drwx------+ 3 10001 10000 102 Jun 27 13:16 Music > drwx------+ 3 10001 10000 102 Jun 27 13:16 Pictures > drwxr-xr-x+ 4 10001 10000 136 Jun 27 13:16 Public > > These folders are empty and NOT connected to the redirected desktop. > I'm guessing the Mac AD setup doesn't bother much with Group > Policies.Only Windows uses GPO's (as yet). GPO's operate on the registry and only Windows has the registry.> Not necessarily a big deal as the Linux domain members > also do not auto-map to the redirected folders on the DC. However, > Linux does create the home folder as specified in sam.ldb and does > designate that as $HOME which Mac is not doing.I have never used an Apple machine, so I have no idea about the apple OS, but does it have anything similar to PAM ?> So, some questions: > > If I were either to change this user's unixHomeDirectory (sam.ldb) > from /home/HPRS/mark to /Users/mark, would that make a difference?Only if '/Users' exists on the MACOS machine and there is something to create the users homedir.> I supposed I could also try creating the /home/HPRS directory on the > Mac and see if a login plops me there.If '/home/HPRS' doesn't exist, this could well be your problem.> > On Linux, I've used NFS export on the DC and autofs on the domain > member to mount the user's redirected folders. I could try the same > thing on Mac.As far as I am aware, the great-granddaddy of MACOS was some form of BSD, so I suppose you should treat it more like Linux than Windows.> Rowland has mentioned vfs_fruit, which I've done some > reading on. Is vfs_fruit the recommended way of doing remote mounts > on Mac?I have never used it myself, but from my understanding, it is a layer between Samba, MACOS and the Unix OS.>I have done basic smb mounts from mac using CMD-K > > sbm:\\host\share. Suggestions on this?I have no idea, perhaps someone who actually uses MACOS would care to comment. Rowland PS Have you considered hitting the MACOS machines with a very big hammer ? It won't fix the problem, but it would make it go away, permanently. LOL