On Fri, 2021-10-29 at 20:18 +0200, Pablo Suarez via samba
wrote:> Hi,
>
> I'm asking help to understand idmap behaviour. First at all, let me
> explain what
> i'm trying to do.
>
> I'm working in a company with an Active directory (running on a
> Microsoft Windows
> 2012 R2 server) and an OpenLdap (running on a Ubuntu 20 server) for
> Linux
> users. Actually, users have the same account name (linux login >
sAMAccountName).
> The goal of my project is to setup a Samba server (running on Redhat
> 7.9)
> for both Windows and Linux users. Of course, I want Linux and Windows
> users
> to be able to authenticate using their AD credentials on Samba
> shares, and
> managing permission with an intelligent uid/SID mapping. The security
> share
> access will be done by checking the Linux group (OpenLdap)
> membership.
> Because OpenLdap groups are not present in the Active Directory. It's
> because I'm not adminstrator of the AD whereas I'm on OpenLdap
> server. The
> file system security part will be perform with ACL.
>
> After reading lot of documentation and different articles (I'm new to
> Samba), I'm not sure to understand it correctly. Here is what I did :
>
> - Setting up a working OpenLdap with samba schema for Linux users.
> - Setting up passthrough OpenLdap authentication with SASL against
> Active
> Directory. This part is working.
> - Setting up a Samba Server (version 4.10) as a AD domain member
> (security
> = ads), joining the AD domain (MYDOMAIN.DOMAIN.COM) with realm
> command, and
> using the ldap idmap backend with winbind.
>
> Here is what going on:
>
> - using "getent passwd linux_user" works well
> - using "getent passwd DOMAIN\\ad_user" works well
> - using "wbinfo -u" works well (all user are corectly listed)
> - using "wbinfo -g" works well (all groups are corectly listed)
> - ldap idmap backend does not populate my OpenLdap server correctly.
> In
> factt, it's writting dirrectly into the domain's root dn instead of
> the ou> Idmap
> - using "wbinfo -D DOMAIN -i ad_user" works partially, it
retrieves
> SID
> but after I get the following error :
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user ad_user
> - using "wbinfo -D DOMAIN -S AD_USER_SID" does not work, I get
the
> following error :
> failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert sid AD_USER_SID to uid
> - idmap with winbind doesn't seems to work properly, I though it was
> intend to act as a user mapping and assign the same uid for and AD
> user as
> and OpenLdap user. I start to think I didn't understood right the
> behaviour
> of user mapping.
> - From a Windows share, I can't access to a simple test share
> whereas the
> permission is set correctly on both smb.conf ("valid user"
option)
> and file
> system permission (chown DOMAIN\ad_user /path/share)
>
> You will find below my smb.conf file :
>
> [global]
> security = ads
> workgroup = MYDOMAIN
> realm = MYDOMAIN.DOMAIN.COM
> encrypt passwords = true
> interfaces = IP.ADD.RR.ESS
> bind interfaces only = Yes
> netbios name = SAMBA-NETBIOS-NAME
> load printers = no
>
> passdb backend = ldapsam:ldap://my-ldap.mydomain.domain.com
> ldap suffix = dc=unixdomain,dc=domain,dc=com
> ldap user suffix = ou=People
> ldap group suffix = ou=Group
> ldap machine suffix = ou=Hosts
> ldap admin dn = cn=admin,dc=unixdomain,dc=domain,dc=com
> ldap idmap suffix = "ou=Idmap"
> # or off if TLS/SSL is not configured
> #ldap ssl = start tls
> ldap ssl = off
> ldap passwd sync = yes
>
> Unix Charset = UTF8
>
> kerberos method = secrets and keytab
> template homedir = /home/%U
> template shell = /bin/bash
> username map = /etc/samba/users.map
> idmap config * : range = 5000000-6000000
> idmap config * : backend = tdb
> idmap config MYDOMAIN : range = 10000-4000000
> idmap config MYDOMAIN : backend = ldap
> idmap config MYDOMAIN : ldap_url = ldap://
> my-ldap.mydomain.domain.com
> idmap config MYDOMAIN : ldap_base_dn >
dc=unixdomain,dc=domain,dc=com
> idmap config MYDOMAIN : ldap_user_dn >
cn=admin,dc=unixdomain,dc=domain,dc=com
> idmap config MYDOMAIN : idmap suffix = "ou=Idmap"
> idmap config MYDOMAIN : default = yes
> winbind use default domain = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind expand groups = 1
> winbind enum users = no
> log level = 10
> log file = /var/log/samba/log.%m
>
> [test]
> comment = test
> path = /path/share
> valid users = DOMAIN\user
> browseable = Yes
> read only = No
> inherit permissions = Yes
> inherit acls = Yes
>
> [another_share]
> comment = another share
> browsable = Yes
> read only = No
> valid users = @unix_group
> path = /path/anothershare
> inherit permissions = Yes
> inherit acls = Yes
> force group = @unix_group
> force directory mode = 2771
> force create mode = 0771
>
> I'm a little confused about all the configuration, and I'm sure
I'm
> doing
> something wrong. I'm even thinking that what I want to do is not
> possible... Anyway, i'm losting my hair trying to get it working.
>
> Any help would be appreciated!
>
Before we get deep into this, what do you actually use the openldap
server for ?
Rowland