samba - Jul 2023 - Joining Linux Domain Member to Windows AD/DC

On 22/07/2023 18:52, Mark Foley via samba wrote:
> I am installing a new Linux Domain Member on a Active Directory domain that
is
> otherwise 100% Windows, including a Windows AD/DC.  Previously, I've
added a
> Linux domain member to a domain with a Samba AD/DC and I had all the
needful
> information available.
It doesn't matter what the DC's are, Windows or Samba, the setup is the 
same.
> 
> I'm using the wiki
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Introduction
> for reference.
> 
> In this case, what idmap backend should I use? ad, rid, autorid?
Which idmap backend you use is entirely up to you, they all have their 
places:

If you use the 'ad' idmap backend you will need to have (or add) 
uidNumber and gidNumber attributes in AD.

If you use the 'rid' idmap backend then the Unix ID's are calculated
from the AD objects RID. You will have to add a set of 'idmap config 
lines' for every DOMAIN

The 'autorid' idmap backend works in a similar way to the 'rid'
idmap
backend, but is meant for multiple domains and you will only require one 
set of 'idmap config' lines.
> 
> My domain member on my existing Samba domain has smb.conf settings:
> 
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = 10000-10099
That setup will require that your users have uidNumber attributes and 
your groups will have gidNumber attributes in AD, All of these 
attributes will have to contain numbers inside the 10000-10099 range 
(which to be honest is a bit small and only allows for 99 users).
> 
> winbind enum groups = Yes
> winbind enum users = Yes
If you only have 99 users, then the 'winbind enum' lines should be okay,
but they are not required and on larger domains, they will slow things down.
> winbind nss info = rfc2307
If you use the 'ad' idmap backend, then 'winbind nss info' is
now part
of the 'idmap config' lines and isn't used with any other idmap
backend
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
'winbind use default domain' cannot be used with the 'autorid'
idmap
backend.
> 
> These settings were monkey-typed from a smb.conf example by kjhambrick,
many,
> many moons ago.  I really don't know why I have two backends specific
(tdb and
> ad) or why there are two different ranges (2000-9999 and 10000-10099 -
although
> I see the wiki also has a range for * and for domain).  Do I need all these
in
> the Windows AD config?
> 
> I don't see backend tdb listed in the wiki. Is that obsolete? It does
list other
> backends: ldap and nss.
The 'tdb' idmap backend is an allocating backend and is only used for 
the default '*' domain (unless you use the 'autorid' idmap
backend, when
it isn't required at all). The default domain is meant for the Well 
Known SIDs and anything outside the DOMAIN.
> 
> How would I find the range on this domain?
You don't, you choose and set it :-)

Anything you don't understand, please ask.

Rowland

On Sat, 22 Jul 2023 20:58:01 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> On 22/07/2023 18:52, Mark Foley via samba wrote:
> > I am installing a new Linux Domain Member on a Active Directory domain
that is
> > otherwise 100% Windows, including a Windows AD/DC.  Previously,
I've added a
> > Linux domain member to a domain with a Samba AD/DC and I had all the
needful
> > information available.
>
> It doesn't matter what the DC's are, Windows or Samba, the setup is
the
> same.
>
> > I'm using the wiki
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Introduction
> > for reference.
> > 
> > In this case, what idmap backend should I use? ad, rid, autorid?
>
> Which idmap backend you use is entirely up to you, they all have their 
> places:
>
> If you use the 'ad' idmap backend you will need to have (or add) 
> uidNumber and gidNumber attributes in AD.
I am not the admin for the Windows AD/DC, so I don't know which
[uid|gid]Numbers
are set in the AD.  The actual admin is sort of a paint-by-numbers guy and
I'm
doubtful he knows anything about uid/gid, but I can ask. 
> If you use the 'rid' idmap backend then the Unix ID's are
calculated
> from the AD objects RID. You will have to add a set of 'idmap config 
> lines' for every DOMAIN
I'm not seeing the actual difference between 'ad' and 'rid'
based on this
comment. the 'ad' backend in my example also has a set of 'idmap
config lines'.
How would rid differ?

The wiki on 'rid' says, 

  "ID mapping back ends are not supported in the smb.conf file on a Samba
Active
  Directory (AD) domain controller (DC).  Do not add any idmap config lines to a
  Samba Active Directory (AD) domain controller (DC) smb.conf"

This isn't an AD/DC, but does this apply to the domain member as well? If I
use
this backend does that mean I don't need to specify gid/uid ranges in the
smb.conf. The wiki further says:

  o All domain user accounts and groups are automatically available on the
domain member.

  o No attributes need to be set for domain users and groups.

  o If you use the the same basic smb.conf file on all Samba domain members,
then
    user and group IDs will always be the same.

Maybe I don't need to worry about ranges?
> The 'autorid' idmap backend works in a similar way to the
'rid' idmap
> backend, but is meant for multiple domains and you will only require one 
> set of 'idmap config' lines.
Only one domain in this setup.
> > My domain member on my existing Samba domain has smb.conf settings:
> > 
> > idmap config *:backend = tdb
> > idmap config *:range = 2000-9999
> > idmap config HPRS:backend = ad
> > idmap config HPRS:schema_mode = rfc2307
> > idmap config HPRS:range = 10000-10099
>
> That setup will require that your users have uidNumber attributes and 
> your groups will have gidNumber attributes in AD, All of these 
> attributes will have to contain numbers inside the 10000-10099 range 
> (which to be honest is a bit small and only allows for 99 users).
This example was taken from an actual system with no possibility of ever having
99 users. 

Is there a way for me to determine the uid/gid range configured in this system?
'getent passwd username' returns nothing (although 'getent hosts
members' does).
wbinfo gives:

# wbinfo -u 
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users

So that needs winbindd to be running running, but I'm not at that step in
the
instructions.
> > winbind enum groups = Yes
> > winbind enum users = Yes
>
> If you only have 99 users, then the 'winbind enum' lines should be
okay,
> but they are not required and on larger domains, they will slow things
down.
Noted. I can get rid of that if it's not useful. BTW this target system has
less
that a dozen users.
> > winbind nss info = rfc2307
>
> If you use the 'ad' idmap backend, then 'winbind nss info'
is now part
> of the 'idmap config' lines and isn't used with any other idmap
backend
So, get rid of that in any case.
> > winbind offline logon = Yes
> > winbind refresh tickets = Yes
> > winbind use default domain = Yes
>
> 'winbind use default domain' cannot be used with the
'autorid' idmap
> backend.
It doesn't look like 'autorid' will be the winner on backend, so
I'll likely
retain these lines, right?
> > These settings were monkey-typed from a smb.conf example by
kjhambrick, many,
> > many moons ago.  I really don't know why I have two backends
specific (tdb and
> > ad) or why there are two different ranges (2000-9999 and 10000-10099 -
although
> > I see the wiki also has a range for * and for domain).  Do I need all
these in
> > the Windows AD config?
> > 
> > I don't see backend tdb listed in the wiki. Is that obsolete? It
does list other
> > backends: ldap and nss.
>
> The 'tdb' idmap backend is an allocating backend and is only used
for
> the default '*' domain (unless you use the 'autorid' idmap
backend, when
> it isn't required at all). The default domain is meant for the Well 
> Known SIDs and anything outside the DOMAIN.
So, keep that, right?
> > How would I find the range on this domain?
>
> You don't, you choose and set it :-)
>
> Anything you don't understand, please ask.
>
> Rowland
Yeah, related to the last question on how to "find the range on this
domain." I
can't just make something up, can I? I need to know how the actual domain
admin
set up the range. If there's no way to query this then I supposed I have to
ask
him, which might be a problem.

Can I just make something up and successfully join the domain, then do
'getent
passwd' to see what my known gid/uid is? I could try the default ranges, for
example my new smb.conf might look like:

idmap config *:backend = tdb
idmap config *:range = 10000000-299999999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-20000

winbind enum groups = Yes
winbind enum users = Yes
# winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes

-----OR------

# idmap config *:backend = tdb (do I need these?) rid wiki: "... this back
end cannot be set as idmap config * default ID mapping back end."
# idmap config *:range = 10000000-299999999

# rid wiki: "You must add idmap config lines for all trusted domains."
# would that be the following two lines?
idmap config HPRS:backend = rid
idmap config HPRS:schema_mode = rfc2307

# idmap config HPRS:range = 10000-20000

# probably get rid of these?
# winbind enum groups = Yes
# winbind enum users = Yes

winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes

Am I close on the 'ad' or 'rid' examples? Am I assuming
correctly that ranges
aren't needed for 'rid'?

Thanks --Mark