Winbind/Samba RFC2307 Roadmap

David Mansfield samba at dm.cobite.com
Tue Mar 12 07:30:31 MDT 2013 

On 03/12/2013 08:31 AM, Colin Simpson wrote:
> Hi
>
> I was just wondering if there was a roadmap on how rfc2307 and I guess
> how Unix clients in general were planned to be handled in a Winbind
> Samba setup. It seems (from an outside perspective) that there is no
> clear direction (to users) as to the preferred way these should be dealt
> with.
>
> I mean at provisioning the RFC2307 attributes aren't enabled by default
> (which is maybe understandable as the target is domain level 2003 and
> this wasn't true until 2003R2) but not helpful for Unix clients (better
> if it was 2003R2 but not sure the other side effects this would
> introduce).
>
> Also by default no reverse DNS zone is created by the provisioning
> process (can't remember if an AD forest does this by default, I think it
> might) and this is often required for Linux kererized services to work
> (SSH being the obvious one).
>
> Additionally last time I tried I notice the add user commands don't seem
> to be able to add Unix attributes, which means people have hand rolled
> their own, and some of these scripts do things that Windows AD doesn't
> for Unix users and groups, for example setting objectClass
> "posixAccount" and "posixGroup", this won't inerop easily with a Windows
> DC, I'd imagine.
Just FYI, I have a "hand rolled script" which I've attached (s4imu.pl - 
samba4 identity management for unix) which attempts to make managing the 
Unix attributes a bit easier.  It's a work-in-progress but we're using 
it here.  I agree with you wholeheartedly that having hand-rolled is the 
wrong way to go, and I believe this should be built into samba-tool, 
which if I'm not mistaken is not bound to adhere to any specific 
(limited) set of commands or options.

> Even though Windows uses RFC2307 it isn't pure RFC2307, (it's been a
> while since I setup a clean AD forest) Windows seems to basically puts
> the RFC2307 attributes into the standard AD objectClass "Person" and
> objectClass "group". I'd have thought Samba 4's useradding should allow
> adding RFC2307 attributes, and should add them the same way that AD
> Users and Computers does, to existing user and group objects. Maybe I'm
> behind the times on this one and this is fixed.
Unless one has Windows Server installed, you cannot install the RFC2307 
extensions to "User and Computers" into windows afaik (that tab is 
missing from the interface and cannot be installed using the freely 
available downloads).  So from the Windows AD management tool you cannot 
manage the RFC2307 attributes either.  This is my experience using Win 
XP Pro with the AD management console.

> My bugbear I've seen, is that the default group in Winbind (even setting
> everything to use RFC2307) is to use the Windows default group. This
> makes total sense in a mapped UID/GID but makes less sense in a RFC2307
> world where the GID is specified as gidNumber for the user's account
> (but ignored by Winbind) and no way to configure this. This has a bug ID
> #8694.
>
> Another minor thing I notices is that Windbind also doesn't by default
> obtain a TGT, this should surely now be the default in a S4 context.
I think tweaking /etc/security/pam_winbind.conf can get the TGT working 
fine.

> Is the eventual aim to encourage people to use RFC2307 attributes in
> preferrence to generated or mapped UID/GID's?
>
> It seems like with the arrival of Samba 4 that there exists the
> capability to be a first class cross platform directory service (like AD
> itself is to be honest, except it only runs on Windows) but it isn't so
> easy at the moment to use as Unix directory.
>
> I know it's early days on Samba 4 (and what an achievement) and I really
> don't mean to complain at all, I just want to get some insight into the
> Winbind plan (I know there are currently two so maybe that is where all
> this is being thought of in a merge).
>
> Also to try to see if there is direction to make Samba 4's Unix
> behaviour be more like pure AD (strange to say I know) and achieve a
> level of standardisation across installs worldwide?
>
> Also I don't know how Samba 4 say interoperates with SSSD (rfc2307), has
> it been tried?
>
> Thanks for any information and for all the great work up to now!
>
>
I'm also not complaining!  I'm excited about the direction s4 will take, 
and will contribute as possible but I also think understanding (or 
planning) the future direction of s4/unix interaction is necessary.

-- 
David Mansfield,
Cobite INC.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: s4imu.pl
Type: application/x-perl
Size: 15214 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130312/c3a093f3/attachment.bin>

More information about the samba-technical mailing list