Thanks again for the continued help... Current thinking is using rid for the backend does not place any new administrative functions on the staff - agree? Begs questions of what is being written in smbpasswd, and do we have administrative work on AIX? Such as adding users and a group or two in the range specified for idmap? A mapping "table"? If rid is hands-off administration, that's likely the way they want to go. Going with rid - security is still ads? Thanks again! Bob Wyatt -----Original Message----- From: Rowland penny <rpenny at samba.org> Sent: Wednesday, February 5, 2020 4:11 PM To: sambalist <samba at lists.samba.org> Subject: Re: [Samba] Samba 4.10.6-1 Configuration on AIX On 05/02/2020 20:00, Bob Wyatt wrote:> Thanks to you and Louis for your guidance. > I really apologize for my lack of knowledge of AD and Samba; and I appreciate your patience and willingness to help. > And I apologize for not trimming the reply - don't know how much to retain... > > The referenced document seems to be leveraging domain services that we're not using. > We are only using AD user authentication to access shares on AIX. > No single sign-on, no user administration/manipulation anywhere, no printer sharing. > > Kerberos shouldn?t be required, which one might think also means the imap settings shouldn?t be required.Perhaps you should tell Microsoft that ;-)> Although they may eventually embrace NTP, is it not configured today; without Kerberos, it isn?t required. > We're not wanting to save any user credentials necessary in AIX to acquire access to the shares in AIX.No, sorry, but your client needs to have the same time as the DC (+/- 5 mins), so if you haven't installed an NTP client, I suggest you do.> > Testing DNS, everything is good until the "set type=SRV" _ldap_... test; it fails. > Kerberos is not installed on AIX.Then install the AIX versions of the kerberos client packages, but do not install a kerberos server (kdc), that is on your DC.> > The server name (hostname) was changed from the old FQDN to the new FQDN, and the /etc/hosts file was updated. > The security was changed from domain to ADS. > > Testparm still reports the imap errors (see below).That is because you still haven't got the correct 'idmap config' lines. Do you have, or want to have rfc2307 attributes in AD, if so, read this: https://wiki.samba.org/index.php/Idmap_config_ad If haven't any rfc2307 attributes and do not want to add them, see here: https://wiki.samba.org/index.php/Idmap_config_rid
On 07/02/2020 02:27, Bob Wyatt wrote:> Thanks again for the continued help... > > Current thinking is using rid for the backend does not place any new administrative functions on the staff - agree?If by this, you mean that you do not have to add anything to AD, then yes. You may have to add a couple of template lines to your smb.conf, the defaults are: template homedir = /home/%D/%U template shell = /bin/false With the above, your users will not be able login to the Unix computer and will get a Unix homedirectory of /home/DOMAIN/username> Begs questions of what is being written in smbpasswd, and do we have administrative work on AIX? > Such as adding users and a group or two in the range specified for idmap? A mapping "table"?You do not use smbpasswd and you need something else in smb.conf: username map = /etc/samba/user.map With '/etc/samba/user.map' containing '!root = DOMAIN\Administrator' After this, using the 'rid' backend, all users and groups in AD become Unix users and groups. Basically it boils down to, forget most of what you know about Samba3 domains ;-)> If rid is hands-off administration, that's likely the way they want to go. > > Going with rid - security is still ads?Yes, it is just a different winbind backend. Rowland
On 07/02/2020 16:26, Bob Wyatt wrote:> Rowland, > > Thanks for everything! > > If I understand correctly, let's say that the user mydomain\bobw is the domain login. > Let's say that bobw is my UNIX login ID.If 'bobw' is in /etc/passwd and there is also a user in AD with the samaccountname 'bobw', then delete the one in /etc/passwd. You cannot have the same username in /etc/passwd and AD. If you add 'winbind use default domain = yes' to your smb.conf, then 'mydomain\bobw' will become just 'bobw'. For example, my record is in AD: getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash> I can?t use bobw in my usermap file? > '!bobw=mydomain\bobw' > So I need to change my shares to a new ID and set that in my usermap file? > '!bobw_smb=mydomain\bobw'You do not use usermaps any more, except for Administrator and yes, you may have to chown file ownership. There is a way around this though, but only if you have access to a domain DC, you give your users a uidNumber attribute and Domain Users a gidNumber attribute and then use the winbind 'ad' backend instead of 'rid'. You could use the IDs your users already have, if you want to go down this path, we can discuss this further.> > I don?t need to add bobw_smb to /etc/passwd?Definitely not, as you have seen, Unix knows who I am, but 'cat /etc/passwd | grep rowland' returns nothing> Or do I need to add the user and need to set idmap user range to a range to be used for samba users?Changing the idmap range would only be of use if the winbind 'ad' backend is used, the 'rid' backend calculates the ID from the user or groups RID.> > Anything else I may be missing?Possibly, but I do not do mind reading ;-) Rowland
Rowland, Thanks for everything! If I understand correctly, let's say that the user mydomain\bobw is the domain login. Let's say that bobw is my UNIX login ID. I can?t use bobw in my usermap file? '!bobw=mydomain\bobw' So I need to change my shares to a new ID and set that in my usermap file? '!bobw_smb=mydomain\bobw' I don?t need to add bobw_smb to /etc/passwd? Or do I need to add the user and need to set idmap user range to a range to be used for samba users? Anything else I may be missing? Thanks again for your patience! Bob Wyatt -----Original Message----- From: Rowland penny <rpenny at samba.org> Sent: Friday, February 7, 2020 3:26 AM To: sambalist <samba at lists.samba.org> Subject: Re: [Samba] Samba 4.10.6-1 Configuration on AIX On 07/02/2020 02:27, Bob Wyatt wrote:> Thanks again for the continued help... > > Current thinking is using rid for the backend does not place any new administrative functions on the staff - agree?If by this, you mean that you do not have to add anything to AD, then yes. You may have to add a couple of template lines to your smb.conf, the defaults are: template homedir = /home/%D/%U template shell = /bin/false With the above, your users will not be able login to the Unix computer and will get a Unix homedirectory of /home/DOMAIN/username> Begs questions of what is being written in smbpasswd, and do we have administrative work on AIX? > Such as adding users and a group or two in the range specified for idmap? A mapping "table"?You do not use smbpasswd and you need something else in smb.conf: username map = /etc/samba/user.map With '/etc/samba/user.map' containing '!root = DOMAIN\Administrator' After this, using the 'rid' backend, all users and groups in AD become Unix users and groups. Basically it boils down to, forget most of what you know about Samba3 domains ;-)> If rid is hands-off administration, that's likely the way they want to go. > > Going with rid - security is still ads?Yes, it is just a different winbind backend. Rowland
Rowland, If you were up for another hint at rid versus ad... I'd like to understand a bit more. With rid, I map the administrator to root only... no mapping of users in AIX. How does Samba figure out that bobw at mydomain.com should use the samba user ID bobwsmb? If I use ad, I would use rfc2307 attributes to address that (I think). It seems more "specific" to use ad, but that's more from the "having some control" viewpoint than anything else. Ideally, the customer would still strive for low administration, so is rid more suited for that approach than ad? What are the reasons to use or choose to avoid rid or ad? As always, your sage advise is very much appreciated! Regards, Bob Wyatt -----Original Message----- From: Rowland penny <rpenny at samba.org> Sent: Friday, February 7, 2020 12:45 PM To: sambalist <samba at lists.samba.org> Subject: Re: [Samba] Samba 4.10.6-1 Configuration on AIX On 07/02/2020 16:26, Bob Wyatt wrote:> Rowland, > > Thanks for everything! > > If I understand correctly, let's say that the user mydomain\bobw is the domain login. > Let's say that bobw is my UNIX login ID.If 'bobw' is in /etc/passwd and there is also a user in AD with the samaccountname 'bobw', then delete the one in /etc/passwd. You cannot have the same username in /etc/passwd and AD. If you add 'winbind use default domain = yes' to your smb.conf, then 'mydomain\bobw' will become just 'bobw'. For example, my record is in AD: getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash> I can?t use bobw in my usermap file? > '!bobw=mydomain\bobw' > So I need to change my shares to a new ID and set that in my usermap file? > '!bobw_smb=mydomain\bobw'You do not use usermaps any more, except for Administrator and yes, you may have to chown file ownership. There is a way around this though, but only if you have access to a domain DC, you give your users a uidNumber attribute and Domain Users a gidNumber attribute and then use the winbind 'ad' backend instead of 'rid'. You could use the IDs your users already have, if you want to go down this path, we can discuss this further.> > I don?t need to add bobw_smb to /etc/passwd?Definitely not, as you have seen, Unix knows who I am, but 'cat /etc/passwd | grep rowland' returns nothing> Or do I need to add the user and need to set idmap user range to a range to be used for samba users?Changing the idmap range would only be of use if the winbind 'ad' backend is used, the 'rid' backend calculates the ID from the user or groups RID.> > Anything else I may be missing?Possibly, but I do not do mind reading ;-) Rowland