Web lists-archives.com

Re: [Samba] [samba] file server, AD client, no rfc2307




2017-07-26 23:12 GMT+02:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:

> On Wed, 26 Jul 2017 22:42:48 +0200
> mathias dufresne via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > Hi all,
> >
> > Am I right writing Winbindd needs to have RFC2307 set up in AD to work
> > correctly when we want to use uidNumber, gidNumber & Co from AD?
> >
> > When I write "RFC2307 set up in AD" I mean what is described there:
> > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#
> Enabling_RFC2307_in_an_Existing_Active_Directory
> >
> > I think it's the case, at least before 4.6.x as my tests last days
> > tend to show that... but I can easily have misinterpreted things.
> >
> > I ask that because I'm working for a client who don't want to modify
> > its AD schema (as described in the link before). Fortunately, thanks
> > again to Rowland who told me that, RFC2307 attributes are already
> > present into AD schema and so we can define uidNumber and other
> > things with standard AD (without --with-rfc2307).
> >
> > So after making lot of test with winbind, after I tried to convince my
> > client to change its AD schema, I finally set up SSSD as AD client and
> > tomorrow I'll try to find how make Samba (file server and AD member)
> > working well with SSSD.
> >
> > So if I'm wrong thinking winbindd needs AD schema modification to
> > generate UNIX users with uid and gid taken from uidNumber and
> > gidNumber, I would really appreciate to know it and how to set it up.
> >
> > Hoping I was clear enough in my issue's description, I wish you well,
> >
> > mathias
>
> I am fairly sure that you only need to add what you are calling the
> 'schema modification' if you want to use the 'Unix Attributes' tab in
> ADUC.
>

You're right. The 'Unix Attributes' tab in ADUC needs what I called 'schema
modification'. Without that change the 'NIS Domain' dropdown menu propose
only "<none>" as an option, no NIS domain which is coherent.


>
> The RFC2307 attributes are part of the standard AD schema, so as you
> are setting up a Unix domain member, winbind on one of these should
> work without doing the schema modification.
>

Yes they're here, we can set them using ldapmodify or using ADSI console
from RSAT.
But I was never able to make winbindd work without the 'schema
modification'.


>
> Anything sssd can do on a Unix domain member, winbind can do.
>

Here please understand I don't to say one's better than the other but I did
was able to make sssd working without the schema modification. In addition
sssd offers something to choose which AD attribute will be use to fill each
part of UNIX user (ex: ldap_user_uid_number = sAMAccountName, these option
come from sssd-ldap man page but are usable with sssd-ad module).

This is useful for stubborn clients as mine who do not want to modify their
AD...


>
> I am fairly sure that your 'schema modification' is the same as adding
> IDMU to a Windows DC and windbind works with a windows DC that
> doesn't have IDMU installed.
>

I'm fairly sure too they are the same (IDMU and what I called 'schema
modification') and I believe you when you say winbind can deal RFC2307
attributes without IDMU/schema mod. Simply I wasn't able to make it work.
What can I say? I will try again : )

Best regards,

mathias



>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba