Hi,
I'm asking help to understand idmap behaviour. First at all, let me
explain what
i'm trying to do.
I'm working in a company with an Active directory (running on a
Microsoft Windows
2012 R2 server) and an OpenLdap (running on a Ubuntu 20 server) for Linux
users. Actually, users have the same account name (linux login sAMAccountName).
The goal of my project is to setup a Samba server (running on Redhat 7.9)
for both Windows and Linux users. Of course, I want Linux and Windows users
to be able to authenticate using their AD credentials on Samba shares, and
managing permission with an intelligent uid/SID mapping. The security share
access will be done by checking the Linux group (OpenLdap) membership.
Because OpenLdap groups are not present in the Active Directory. It's
because I'm not adminstrator of the AD whereas I'm on OpenLdap server.
The
file system security part will be perform with ACL.
After reading lot of documentation and different articles (I'm new to
Samba), I'm not sure to understand it correctly. Here is what I did :
- Setting up a working OpenLdap with samba schema for Linux users.
- Setting up passthrough OpenLdap authentication with SASL against Active
Directory. This part is working.
- Setting up a Samba Server (version 4.10) as a AD domain member (security
= ads), joining the AD domain (MYDOMAIN.DOMAIN.COM) with realm command, and
using the ldap idmap backend with winbind.
Here is what going on:
- using "getent passwd linux_user" works well
- using "getent passwd DOMAIN\\ad_user" works well
- using "wbinfo -u" works well (all user are corectly listed)
- using "wbinfo -g" works well (all groups are corectly listed)
- ldap idmap backend does not populate my OpenLdap server correctly. In
factt, it's writting dirrectly into the domain's root dn instead of the
ouIdmap
- using "wbinfo -D DOMAIN -i ad_user" works partially, it retrieves
SID
but after I get the following error :
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user ad_user
- using "wbinfo -D DOMAIN -S AD_USER_SID" does not work, I get the
following error :
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid AD_USER_SID to uid
- idmap with winbind doesn't seems to work properly, I though it was
intend to act as a user mapping and assign the same uid for and AD user as
and OpenLdap user. I start to think I didn't understood right the behaviour
of user mapping.
- From a Windows share, I can't access to a simple test share whereas the
permission is set correctly on both smb.conf ("valid user" option) and
file
system permission (chown DOMAIN\ad_user /path/share)
You will find below my smb.conf file :
[global]
security = ads
workgroup = MYDOMAIN
realm = MYDOMAIN.DOMAIN.COM
encrypt passwords = true
interfaces = IP.ADD.RR.ESS
bind interfaces only = Yes
netbios name = SAMBA-NETBIOS-NAME
load printers = no
passdb backend = ldapsam:ldap://my-ldap.mydomain.domain.com
ldap suffix = dc=unixdomain,dc=domain,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Hosts
ldap admin dn = cn=admin,dc=unixdomain,dc=domain,dc=com
ldap idmap suffix = "ou=Idmap"
# or off if TLS/SSL is not configured
#ldap ssl = start tls
ldap ssl = off
ldap passwd sync = yes
Unix Charset = UTF8
kerberos method = secrets and keytab
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/users.map
idmap config * : range = 5000000-6000000
idmap config * : backend = tdb
idmap config MYDOMAIN : range = 10000-4000000
idmap config MYDOMAIN : backend = ldap
idmap config MYDOMAIN : ldap_url = ldap://
my-ldap.mydomain.domain.com
idmap config MYDOMAIN : ldap_base_dn dc=unixdomain,dc=domain,dc=com
idmap config MYDOMAIN : ldap_user_dn
cn=admin,dc=unixdomain,dc=domain,dc=com
idmap config MYDOMAIN : idmap suffix = "ou=Idmap"
idmap config MYDOMAIN : default = yes
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind expand groups = 1
winbind enum users = no
log level = 10
log file = /var/log/samba/log.%m
[test]
comment = test
path = /path/share
valid users = DOMAIN\user
browseable = Yes
read only = No
inherit permissions = Yes
inherit acls = Yes
[another_share]
comment = another share
browsable = Yes
read only = No
valid users = @unix_group
path = /path/anothershare
inherit permissions = Yes
inherit acls = Yes
force group = @unix_group
force directory mode = 2771
force create mode = 0771
I'm a little confused about all the configuration, and I'm sure I'm
doing
something wrong. I'm even thinking that what I want to do is not
possible... Anyway, i'm losting my hair trying to get it working.
Any help would be appreciated!
Best regards.
On Fri, 2021-10-29 at 20:18 +0200, Pablo Suarez via samba wrote:> Hi, > > I'm asking help to understand idmap behaviour. First at all, let me > explain what > i'm trying to do. > > I'm working in a company with an Active directory (running on a > Microsoft Windows > 2012 R2 server) and an OpenLdap (running on a Ubuntu 20 server) for > Linux > users. Actually, users have the same account name (linux login > sAMAccountName). > The goal of my project is to setup a Samba server (running on Redhat > 7.9) > for both Windows and Linux users. Of course, I want Linux and Windows > users > to be able to authenticate using their AD credentials on Samba > shares, and > managing permission with an intelligent uid/SID mapping. The security > share > access will be done by checking the Linux group (OpenLdap) > membership. > Because OpenLdap groups are not present in the Active Directory. It's > because I'm not adminstrator of the AD whereas I'm on OpenLdap > server. The > file system security part will be perform with ACL. > > After reading lot of documentation and different articles (I'm new to > Samba), I'm not sure to understand it correctly. Here is what I did : > > - Setting up a working OpenLdap with samba schema for Linux users. > - Setting up passthrough OpenLdap authentication with SASL against > Active > Directory. This part is working. > - Setting up a Samba Server (version 4.10) as a AD domain member > (security > = ads), joining the AD domain (MYDOMAIN.DOMAIN.COM) with realm > command, and > using the ldap idmap backend with winbind. > > Here is what going on: > > - using "getent passwd linux_user" works well > - using "getent passwd DOMAIN\\ad_user" works well > - using "wbinfo -u" works well (all user are corectly listed) > - using "wbinfo -g" works well (all groups are corectly listed) > - ldap idmap backend does not populate my OpenLdap server correctly. > In > factt, it's writting dirrectly into the domain's root dn instead of > the ou> Idmap > - using "wbinfo -D DOMAIN -i ad_user" works partially, it retrieves > SID > but after I get the following error : > failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for user ad_user > - using "wbinfo -D DOMAIN -S AD_USER_SID" does not work, I get the > following error : > failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid AD_USER_SID to uid > - idmap with winbind doesn't seems to work properly, I though it was > intend to act as a user mapping and assign the same uid for and AD > user as > and OpenLdap user. I start to think I didn't understood right the > behaviour > of user mapping. > - From a Windows share, I can't access to a simple test share > whereas the > permission is set correctly on both smb.conf ("valid user" option) > and file > system permission (chown DOMAIN\ad_user /path/share) > > You will find below my smb.conf file : > > [global] > security = ads > workgroup = MYDOMAIN > realm = MYDOMAIN.DOMAIN.COM > encrypt passwords = true > interfaces = IP.ADD.RR.ESS > bind interfaces only = Yes > netbios name = SAMBA-NETBIOS-NAME > load printers = no > > passdb backend = ldapsam:ldap://my-ldap.mydomain.domain.com > ldap suffix = dc=unixdomain,dc=domain,dc=com > ldap user suffix = ou=People > ldap group suffix = ou=Group > ldap machine suffix = ou=Hosts > ldap admin dn = cn=admin,dc=unixdomain,dc=domain,dc=com > ldap idmap suffix = "ou=Idmap" > # or off if TLS/SSL is not configured > #ldap ssl = start tls > ldap ssl = off > ldap passwd sync = yes > > Unix Charset = UTF8 > > kerberos method = secrets and keytab > template homedir = /home/%U > template shell = /bin/bash > username map = /etc/samba/users.map > idmap config * : range = 5000000-6000000 > idmap config * : backend = tdb > idmap config MYDOMAIN : range = 10000-4000000 > idmap config MYDOMAIN : backend = ldap > idmap config MYDOMAIN : ldap_url = ldap:// > my-ldap.mydomain.domain.com > idmap config MYDOMAIN : ldap_base_dn > dc=unixdomain,dc=domain,dc=com > idmap config MYDOMAIN : ldap_user_dn > cn=admin,dc=unixdomain,dc=domain,dc=com > idmap config MYDOMAIN : idmap suffix = "ou=Idmap" > idmap config MYDOMAIN : default = yes > winbind use default domain = yes > winbind refresh tickets = yes > winbind offline logon = yes > winbind enum groups = no > winbind expand groups = 1 > winbind enum users = no > log level = 10 > log file = /var/log/samba/log.%m > > [test] > comment = test > path = /path/share > valid users = DOMAIN\user > browseable = Yes > read only = No > inherit permissions = Yes > inherit acls = Yes > > [another_share] > comment = another share > browsable = Yes > read only = No > valid users = @unix_group > path = /path/anothershare > inherit permissions = Yes > inherit acls = Yes > force group = @unix_group > force directory mode = 2771 > force create mode = 0771 > > I'm a little confused about all the configuration, and I'm sure I'm > doing > something wrong. I'm even thinking that what I want to do is not > possible... Anyway, i'm losting my hair trying to get it working. > > Any help would be appreciated! >Before we get deep into this, what do you actually use the openldap server for ? Rowland