On Sun, Mar 3, 2019 at 5:14 AM Rowland Penny via samba <samba at lists.samba.org> wrote: [snip]> > Correct me if I'm wrong, but winbind (on a Samba DC) can **only** use > > "template homedir" and "template shell", and will not respect the RFC > > 2307 attributes in LDAP. Is that correct? > > Yes and no ;-) > > If you use the 'rid' backend, you must use the template lines. If you > use the 'ad' backend, then the RFC2307 attributes in AD will be used.I'm asking about Winbindd on the DC itself, where, as I understand it, there is no choice of idmap backend. The Samba Wiki [1] says:> ... setting up an ID mapping back end, such as ad (RFC2307) or rid, in > the smb.conf file is not supported an [sic] can cause the samba > service to fail. > On a Samba Active Directory DC, Winbindd always reads the user IDs > (UID) and group IDs (GID) from the values set in the uidNumber and > gidNumber attributes set in the AD objects.That page goes on to say:> On a Samba DC, only the winbind template mode is supported.This doesn't seem to agree with what you've said; it strongly implies that Winbindd, on a Samba DC, will never use the homeDirectory and loginShell attributes. This mailing list post from 2015 [2] seems to agree. While we're on the topic, I've noticed that passing --use-rfc2307 to `samba-tool domain provision` causes smb.conf to include this option: idmap_ldb:use rfc2307 = yes That option is not documented in smb.conf [3]. Furthermore, this Samba Wiki page [4] says about that option:> It is recommended not to use those mappings on the DCs. The default > idmap ldb mechanism is fine for domain controllers and less error > prone.Which seems completely incorrect, given that the option was added during AD provisioning. I appreciate your help in clearing up some of this contradictory information! Jonathon [1] https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC#Identity_Mapping_on_a_Samba_Domain_Controller [2] https://lists.samba.org/archive/samba/2015-June/192072.html [3] https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html [4] https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#RFC2307_on_AD_Domain_Controllers
On Sun, 3 Mar 2019 13:41:05 -0500 Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:> On Sun, Mar 3, 2019 at 5:14 AM Rowland Penny via samba > <samba at lists.samba.org> wrote: > [snip] > > > Correct me if I'm wrong, but winbind (on a Samba DC) can **only** > > > use "template homedir" and "template shell", and will not respect > > > the RFC 2307 attributes in LDAP. Is that correct? > > > > Yes and no ;-) > > > > If you use the 'rid' backend, you must use the template lines. If > > you use the 'ad' backend, then the RFC2307 attributes in AD will be > > used. > > I'm asking about Winbindd on the DC itself, where, as I understand it, > there is no choice of idmap backend. The Samba Wiki [1] says:I must go to to specsavers :-( Yes, totally correct, you have to use the 'template' lines> > > ... setting up an ID mapping back end, such as ad (RFC2307) or rid, > > in the smb.conf file is not supported an [sic] can cause the samba > > service to fail. > > On a Samba Active Directory DC, Winbindd always reads the user IDs > > (UID) and group IDs (GID) from the values set in the uidNumber and > > gidNumber attributes set in the AD objects. > > That page goes on to say: > > > On a Samba DC, only the winbind template mode is supported. > > This doesn't seem to agree with what you've said; it strongly implies > that Winbindd, on a Samba DC, will never use the homeDirectory and > loginShell attributes.No it doesn't and the worst part is that I wrote a large part of that ;-)> This mailing list post from 2015 [2] seems to > agree. > > While we're on the topic, I've noticed that passing --use-rfc2307 to > `samba-tool domain provision` causes smb.conf to include this option: > > idmap_ldb:use rfc2307 = yes > > That option is not documented in smb.conf [3].No, it isn't, but it is required to use the RFC2307 attributes and the other strange thing is, it isn't added by default to any other DC's you might add.> > Furthermore, this Samba Wiki page [4] says about that option: > > > It is recommended not to use those mappings on the DCs. The default > > idmap ldb mechanism is fine for domain controllers and less error > > prone. > > Which seems completely incorrect, given that the option was added > during AD provisioning.Well not doing something is always going to be less error prone ;-) What it is saying is: If you only use the DC for authentication, then the default idmap.ldb is sufficient. The problems can start if you have any other Unix machines and require the same numeric Unix IDs everywhere.> > I appreciate your help in clearing up some of this contradictory > information! >I appreciate your feedback, it helps to make the wiki better. Rowland
Okay, so in conclusion of this thread: - Using Realmd (even with winbind) on a Samba DC is a bad idea. - I've updated my first blog post to specify realm in all-caps - I've updated my second blog post to include SSH + Kerberos - Using "idmap_ldb:use rfc2307 = yes" on all of my Samba DCs is okay. - Only winbind template mode is currently supported on Samba DCs. The additional UPN suffixes conversation continues in the other thread, with subject "Joining a DC, was (no subject)". Thanks for the input, everyone! When I write more blog posts, I'll post them here for feedback. Cheers, Jonathon On Sun, Mar 3, 2019 at 2:36 PM Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Sun, 3 Mar 2019 13:41:05 -0500 > Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote: > > > On Sun, Mar 3, 2019 at 5:14 AM Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > [snip] > > > > Correct me if I'm wrong, but winbind (on a Samba DC) can **only** > > > > use "template homedir" and "template shell", and will not respect > > > > the RFC 2307 attributes in LDAP. Is that correct? > > > > > > Yes and no ;-) > > > > > > If you use the 'rid' backend, you must use the template lines. If > > > you use the 'ad' backend, then the RFC2307 attributes in AD will be > > > used. > > > > I'm asking about Winbindd on the DC itself, where, as I understand it, > > there is no choice of idmap backend. The Samba Wiki [1] says: > > I must go to to specsavers :-( > > Yes, totally correct, you have to use the 'template' lines > > > > > ... setting up an ID mapping back end, such as ad (RFC2307) or rid, > > > in the smb.conf file is not supported an [sic] can cause the samba > > > service to fail. > > > On a Samba Active Directory DC, Winbindd always reads the user IDs > > > (UID) and group IDs (GID) from the values set in the uidNumber and > > > gidNumber attributes set in the AD objects. > > > > That page goes on to say: > > > > > On a Samba DC, only the winbind template mode is supported. > > > > This doesn't seem to agree with what you've said; it strongly implies > > that Winbindd, on a Samba DC, will never use the homeDirectory and > > loginShell attributes. > > No it doesn't and the worst part is that I wrote a large part of > that ;-) > > > This mailing list post from 2015 [2] seems to > > agree. > > > > While we're on the topic, I've noticed that passing --use-rfc2307 to > > `samba-tool domain provision` causes smb.conf to include this option: > > > > idmap_ldb:use rfc2307 = yes > > > > That option is not documented in smb.conf [3]. > > No, it isn't, but it is required to use the RFC2307 attributes and the > other strange thing is, it isn't added by default to any other DC's you > might add. > > > > > Furthermore, this Samba Wiki page [4] says about that option: > > > > > It is recommended not to use those mappings on the DCs. The default > > > idmap ldb mechanism is fine for domain controllers and less error > > > prone. > > > > Which seems completely incorrect, given that the option was added > > during AD provisioning. > > Well not doing something is always going to be less error prone ;-) > What it is saying is: > If you only use the DC for authentication, then the default idmap.ldb > is sufficient. The problems can start if you have any other Unix > machines and require the same numeric Unix IDs everywhere. > > > > > I appreciate your help in clearing up some of this contradictory > > information! > > > > I appreciate your feedback, it helps to make the wiki better. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba