Web lists-archives.com

Re: [Samba] RFC2307 on AD DC

Em 08/08/2018 11:15, Rowland Penny via samba escreveu:
On Wed, 8 Aug 2018 10:18:51 -0300
Marcio Vogel Merlone dos Santos via samba <samba@xxxxxxxxxxxxxxx> wrote:

I am deploying a new AD DC for our network using Ubuntu 18.04 and
BIND_DLZ. Al lis fine but the RFC2307 attributes on DC. What's the
recommended/correct way to use RFC2307 attributes on DC? At the wiki
(1) it says:

For example, setting up an ID mapping back end, such
as|ad|(RFC2307) or|rid|, in the|smb.conf|file is not supported an
can cause the|samba|service to fail
Indeed, I have set a smb.conf with idmap settings below and it stops
working after some time, with user/password errors:

      dns forwarder =
      netbios name = ARAUCARIA
      realm = AD.A1.IND.BR
      server role = active directory domain controller
      workgroup = A1
      server services = -dns

      log file = /var/log/samba/%m.log
      log level = 1

      winbind use default domain = yes
      winbind enum users  = yes
      winbind enum groups = yes

      idmap config * : backend = tdb
      idmap config * : range = 500-599

      idmap config A1 :backend = ad
      idmap config A1 :schema_mode = rfc2307
      idmap config A1 :range = 601-65300
      idmap config A1 :unix_nss_info = yes
      idmap config A1 :unix_primary_group = yes

      path = /var/lib/samba/sysvol/ad.a1.ind.br/scripts
      read only = No

      path = /var/lib/samba/sysvol
      read only = No

I dont want to set a winbind template, I do have rfc2307 information
for our users and would like to use them on DC but could not get it
working, can someone point me to the right direction? Is winbind the
way to go, or should I look to SSSD or LikeWise?


Thanks and best regards.

You really didn't understand the wiki, did you ;-)
I guess I did, sort of, but I like to test and push limits. I had to see for myself what happens.

OK, lets see if I can explain it better:
On a DC, by default idmap mapping is done in idmap.ldb and this uses
'xidNumber' attributes, which start at '3000000'
I dont like defaults and templates. But who cares?

The 'ad' winbind backend uses rfc2307 attributes and is only usable on
Unix domain members.

The 'rid' winbind backend calculates the user or group ID from the AD
objects RID and again is only usable on a Unix domain member

The only way to have the same ID number everywhere is to use the 'ad'
backend, but there is a gotcha, on a DC only the uidNumber & gidNumber
attributes from AD are used, you have to set the user shell & home
directory with 'template' lines in smb.conf
That's the point. Is there any way to get [gu]idNumber, homeDir and shell from AD on the DC? This is probably a silly requirement for my setup, but I'd like to use my AD user also to SSH on the server - among many other systems.

All of this is part of the reason why Samba doesn't recommend using a
DC as a fileserver.

Lets now look at what I would remove from your smb.conf:

      dns forwarder =
      # remove this because you are using bind9 and that is where the
        forwarder should be set
samba-tool did it, thanks for the info.

      winbind use default domain = yes
      # doesn't work on a DC
    winbind enum users  = yes
      winbind enum groups = yes
      # just slows things down and isn't needed.

      idmap config * : backend = tdb
      idmap config * : range = 500-599
      idmap config A1 :backend = ad
      idmap config A1 :schema_mode = rfc2307
      idmap config A1 :range = 601-65300
      idmap config A1 :unix_nss_info = yes
      idmap config A1 :unix_primary_group = yes
      # On top of not working on a DC, you have chosen stupid ranges.
Thanks for the compliment ;)
But why you say they are stupid? Consider there will be no trusted domain nor any other domain at all on the network, and plan is to import users with existing xidNumber from an old existing working LDAP domain - but no domain migration, will take opportunity to fix domain name, sid, etc. and make things right this time.

You will also need to add this line (which would have been added if you
provisioned with '--use-rfc2307':

      idmap_ldb:use rfc2307  = yes
Since I cant use *all* rfc2307 info from AD, I see no point for that anymore.

What users and groups have you given uidNumber & gidNumber attributes
to ? Also did you use the ranges you set in the DC smb.conf ?
For now just a couple of test users, within those ranges.

Did you follow the Samba wiki or some other howto ?
Official samba wiki.

Today I have an OpenLDAP server read not just by samba, but by all my services (smtp, imap, proxy, php apps, etc) and my goal was to keep a central user database for all environments as it is today. If that is possible for everything *except* for one system (THE DC), I think I'll have to change my goal.

Thanks, best regards.

*Marcio Merlone*
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba