[Samba] Re: ldapsearch and getent passd/group with nss winbind
differs
Andreas Ladanyi
knuffiandy at web.de
Tue Aug 26 18:48:32 GMT 2008
Hi Doug,
i read your mail intently and would thank you for your detailed
illustration. ;-)
I would change the parameter you suggest and would do some more tests to
verify for my comprehension.
Bye,
Andy
Doug VanLeuven schrieb:
> Andreas Ladanyi wrote:
>>>> There is one "UNIX attribute" tab and one "Members Of" tab.
>>>> During some tests we discover the following facts
>>>> =================================================
>>>> In "UNIX attribute" tab:
>>>> ========================
>>>> winbind is only interested in the UID field ->
>>>> in ldap tree the attribute "uidnumber".
>>> If you're talking SFU, it doesn't use uidnumber. It uses attribute
>>> msSFU30UidNumber and displays UID on the Unix Attributes tab.
>>> I don't have a Windows 2003 R2 for comparison. Are you really using
>>> SFU (Services For Unix 3.0) or do you have the newer 2003 R2?
>>
>> I use 2003 R2 and did install the "Unix plugin" for AD schemata
>> extension from Windows component setup.
> OK. You probably have the rfc2307 attributes.
>
>> From rfc2307:
> 2.2. Attributes
>
> The attributes and classes defined in this document are summarized
> below.
>
> The following attributes are defined in this document:
>
> uidNumber
> gidNumber
> gecos
> homeDirectory
> loginShell
> ...(more attributes)...
> This isn't "winbind nss info = sfu template", it's "nss info = rfc2307
> template"
> SFU is strictly for MS (c) Services for Unix which added alien attribute
> names to the tree.
> SFU attributes are named thus:
> msSFU30UidNumber
> msSFU30GidNumber
> msSFU30Gecos
> msSFU30HomeDirectory
> msSFU30LoginShell
>
> If I remember the idmap_ad code correctly, idmap_ad queries for each
> style attribute
> and remembers what it finds. For basic samba functionality, you don't
> need to know your windows schema extension. The winbind nss plugin will
> care though.
>
> Winbind will pick up the uidNumber for users and the gidNumber for groups
> but group membership will be determined by the windows group membership.
> The gid numbers of the windows groups will come from your unix tab.
> Put another way, winbind will lookup the SIDs of your windows group
> membership
> and lookup the gidNumber attribute for those SIDs.
> You only have to synchronize the unix tab group membership if you are using
> the windows NFS server. Windows will use those numbers when it exports NFS
> shares and sets NFS acls.
> I used perl LDAP scripting to check the synchronization, because I needed
> NFS shares in windows and wanted the acl permissions consistent.
>
>>
>>>> The other attributes from "UNIX attribute" tab are written to ldap
>>>> tree, but not used by winbind on linux side.
>>>> For example we set the following parameter in smb.conf:
>>>> winbind nss info = sfu
>>>> Of course we could define our own template bash/home with the
>>>> "template home" and "template shell" parameter, but its better the
>>>> "sfu" will work, so we would configure this parameter by the tab.
>>> Winbind only uses this parameter when it creates a Unix account.
>>> Which shouldn't happen for your AD domain members if your AD is
>>> mapped correctly.
>> winbind uses this parameter only if "it" creates a unix account ? In
>> case if i create a unix account with "adduser" on terminal ?
>> The mapping seems to be correctly if i have a look at "getent passwd +
>> getent group"
>>
>>>> The "primary Group" is written to the ldap tree but not used by
>>>> winbind on the unix side.
>> I meant the "primary Group" text field from:
>> "UNIX attribute" tab
>> seems to be NOT used by winbind.
>>
>> The "primary group" which you can set:
>> by clicking the button "primary group" in "Members Of" tab
>> IS USED by winbind perfectly.
>> Iam sorry if my explanation wasnt clear at my last posting.
>>> # net ads testjoin
>>> Join is OK
>>>
>>> # wbinfo -i forest\\jdoe
>>> FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
>>> # getent passwd|grep jdoe
>>> FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash
>>>
>>> # getent group|grep 100
>>> FOREST\domain users:x:100:
>>>
>>> You can set the value msSFU30Gecos and winbind will report it,
>>> otherwise "Display Name" is used.
>>>
>>>> In "Members Of" tab:
>>>> ====================
>>>> In this tab you can choose a group from a list and there is a button
>>>> you could set a Unix primary group by klicking. This will be read by
>>>> winbind only. But this have no force to the primary group ID on the
>>>> "UNIX attribute" tab.
>>>>
>>>> What do you say ? Did we configure something wrong ? Is this the
>>>> normal function ?
>>> I needed to use the "idmap config" values:
>>> idmap domains = FOREST
>>> idmap config FOREST:readonly = yes
>>> idmap config FOREST:backend = ad
>>> idmap config FOREST:range = 0 - 29999
>>> idmap config FOREST:schema_mode = sfu
>>>
>>> idmap alloc backend = tdb
>>> idmap alloc config:range = 50000-50999
>>>
>>> and of course in nsswitch.conf:
>>> passwd: compat winbind
>>> group: compat winbind
>>>
>>> some people like to use "files" instead of "compat", but that's about
>>> NIS semantics and doesn't matter to winbind.
>>
>>
>> winbind separator = /
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind cache time = 60
>> idmap backend = ad
>> idmap uid = 6000-27000
>> idmap gid = 600-7000
>> template shell = /bin/bash
>> template homedir = /home/%U
>> winbind use default domain = yes
>> winbind refresh tickets = yes
>> allow trusted domains = yes
>> winbind nss info = sfu template
> Should probably be winbind nss info = rfc2307 template
> FYI, you've specified the older idmap syntax.
> Refer to idmap_ad in the samba docs for the new syntax.
> The newer syntax allows you to breakup the uid/gid numbes into ranges
> allocated
> to different domains and local allocation.
> I've always referred to Simo's paper:
> http://www.samba.org/~idra/samba3_newidmap.pdf
>>
>> My nsswitch.conf is like yours.
>>
>> We want to use the "compat" mode because we hope we could exclude some
>> users for login. This isnt possible to winbind ?!
> No. Not with NIS semantics. There are other mechanisms used. None of
> which I'm
> very familiar with.
>>
>> Alternatively i know pam_require. Do you know an opportunity to do
>> this task ?
> No. I hope I never have to specify a Pam config from scratch.
>>
>> Is there a part of documentation where the ldap attributes are shown
>> which are used by winbind ? Or do i have to look up this at source
>> code :-)
> The manpage for idmap_ad:
> http://us1.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
>
> Really, winbind only cares about the passwd related fields.
> uid,gid,gecos,homedir,shell
> name and password come from pre2000 name and windows password.
>
> The rfc2307 specs from ietf.org:
> http://www.ietf.org/rfc/rfc2307.txt
>> Thanks a lot for your posting,
> You're welcome.
>
> Doug
>
More information about the samba
mailing list