[Samba] Samba 4, Winbind & RFC2307

Thomas Simmons twsnnva at gmail.com
Sun Dec 16 15:32:09 MST 2012 

acl:search = false is commented out there, but the behavior is the same
either way.


On Sun, Dec 16, 2012 at 5:30 PM, Thomas Simmons <twsnnva at gmail.com> wrote:

> I am using 'template homedir' and 'template shell' for these attributes,
> which I'm fine with. It's the uidNumber and gidNumber that
> I'm primarily concerned with. My global section:
>
> [global]
>         workgroup = TESTDOM
>         realm = internal.testdom.com
>         netbios name = ADC1
>         server role = active directory domain controller
>         dns forwarder = 10.10.65.1
>         idmap_ldb:use rfc2307 = yes
>         #acl:search = false
>
>         template homedir = /home/%ACCOUNTNAME%
>         template shell = /bin/sh
>
>
>
> On Sun, Dec 16, 2012 at 5:06 PM, Andrew Bartlett <abartlet at samba.org>wrote:
>
>> On Sun, 2012-12-16 at 16:51 -0500, Thomas Simmons wrote:
>> > Hello Andrew,
>> >
>> >
>> > If functionality is not there, I certainly understand and can work
>> > around it. I just want to make sure I am not misunderstanding
>> > something.
>> >
>> >
>> > When you say I should set "idmap_ldb:use rfc2307=yes" in smb.conf on
>> > the DC, do you mean that by doing so I can use winbind (and the
>> > rfc2307 attributes) for *nix authentication on the DC? I am confused
>> > because I already have "idmap_ldb:use rfc2307 = yes" in my smb.conf
>> > (it gets added automatically with the classicupgrade and I always
>> > provision my "clean" test setup with "--use-rfc2307"). That actually
>> > works fine - the rfc2307 attributes are there and I can modify them in
>> > ADUC. If I configure the server to use NSS+LDAP for authentication, my
>> > users's uid number, gid number, shell, etc are what I have specified
>> > in ADUC. When I try using winbind, it is not using the rfc2307
>> > information from AD.
>>
>> That's odd, but remember that only the UID and GID values will be used
>> (not the shell or homedir, which is handled in a different bit of the
>> code).  However, your output below clearly shows that isn't
>> happening :-(
>>
>> >         > Here I have NSS+LDAP configured and getent reports the
>> correct uidNumber
>> >         > and gidNumber that I have specified in AD (rfc2307
>> attributes):
>> >         >
>> >         > root at ALW1:~# getent passwd | grep tuser
>> >         > tuser1:*:10005:10000:Test User1:/home/tuser1:/bin/sh
>> >         > tuser2:*:10006:10000:Test User2:/home/tuser2:/bin/sh
>> >         > tuser3:*:10007:10000:Test User3:/home/tuser3:/bin/sh
>> >         >
>> >         > Here (DC) I am using winbind for authentication, and getent
>> does not report
>> >         > the correct uidNumber and gidNumber:
>> >         >
>> >         > [root at ADC1 ~]# getent passwd | grep tuser
>> >         > TESTDOM\tuser1:*:3000025:100:Test User1:/home/tuser1:/bin/sh
>> >         > TESTDOM\tuser2:*:3000026:100:Test User2:/home/tuser2:/bin/sh
>> >         > TESTDOM\tuser3:*:3000027:100:Test User3:/home/tuser3:/bin/sh
>> >
>> As a test, can you set 'acl:search=false' and see if it makes a
>> difference?
>>
>> > Initially,  "idmap_ldb:use rfc2307 = yes" was the only idmap related
>> > entry in my smb.conf. When that did not work I tried a bunch of other
>> > "idmap config DOMAIN" settings.
>>
>> The code that handles that isn't hooked up yet.  I'm hoping someone will
>> take this on for 4.1.
>>
>> > Again, if this simply does not work at this time, I can use NSS and
>> > LDAP for logins on my DCs. With my S3 setup, I've always used LDAP for
>> > auth on *nix systems and am not terribly familiar with winbind, so I
>> > just want to make sure I'm not missing something. My next test will be
>> > setting up a member server. Can you tell me what entries I will need
>> > in my smb.conf to have winbind use the rfc2307 information from my S4
>> > DC on member servers?
>>
>> I don't recall the exact settings right now, but for member servers it
>> is the same as for a Windows AD domain (yes, I think this should be more
>> automatic).
>>
>> In terms of using nss_ldap on the DC, the only concern I have is that
>> the [homes] share might not work if you do that.  Our DC code mostly
>> avoids calling into nss, but that particular area does do it, and really
>> does expect that nss_winbind is being used.
>>
>> For that reason, we generally suggest separation between the DC and
>> other roles as the best way out of this situation.
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett
>> http://samba.org/~abartlet/
>> Authentication Developer, Samba Team           http://samba.org
>>
>>
>>
>

More information about the samba mailing list