[Samba] idmap backend = ad and Active Directory 2008R2
Rue, Randy
randyrue at gmail.com
Thu May 31 12:31:03 MDT 2012
To clarify: If I'm running a 2008R2 AD the rfc2307 attributes I need are in the AD schema and I don't need to install any additional services to the Domain Controllers? Or should I have Services for Unix or some other features installed?
rrue
----- Original Message -----
From: "Randy Rue" <randyrue at gmail.com>
To: samba at lists.samba.org
Sent: Thursday, May 31, 2012 8:52:01 AM
Subject: Re: [Samba] idmap backend = ad and Active Directory 2008R2
I've swapped in my domain name/etc and commented the lines that I believe
don't apply to my environment, if I disabled something necessary please let
me know. Here's the smb.conf I tried:
[global]
netbios name = HAPPYTOBEHERE
security = ads
workgroup = FOO
realm = FOO.ORG
password server = dcx.foo.org dcy.foo.org dcz.foo.org
<----I also tried it with a single DC entry
preferred master = no
encrypt passwords = yes
kerberos method = secrets only
# general options
# vfs objects = shadow_copy2 fileid gpfs
# unix extensions = no
# mangled names = no
# case sensitive = no
# map untrusted to domain = yes
deadtime = 0
log level = 1
log file = /var/log/samba/%I.log
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_REUSEADDR SO_KEEPALIVE
# store DOS attributes in extended attributes (vfs_gpfs then stores them in
the file system)
# ea support = yes
# store dos attributes = yes
# map readonly = no
# map archive = no
# map system = no
# the ctdb clustering and GPFS stuff
# clustering = yes
# ctdbd socket = /tmp/ctdb.socket
# fileid : algorithm = fsname
# gpfs : sharemodes = yes
# gpfs : winattr = yes
# force unknown acl user = yes
# nfs4 : mode = special
# nfs4 : chown = no
# nfs4 : acedup = merge
# enable shadow copies
# shadow : snapdir = /happytobehere/.snapshots
# shadow : basedir = /happytobehere
# shadow : fixinodes = yes
# silence warnings about CUPS
# printing = bsd
# printcap name = /etc/printcap
# load printers = yes
cups options = raw
# stuff necessary for guest logins to work where required
# guest account = nobody
# map to guest = bad user
# fake the dfree information to match the fileset quota if it exists
# dfree cache time = 15
# dfree command = /var/lib/samba/scripts/mmdfree
# deal with NSS and the whole UID/SID id mapping stuff
idmap backend = tdb
idmap uid = 2000000 - 2999999
idmap gid = 2000000 - 2999999
idmap config FOO : backend = ad
idmap config FOO : schema_mode = rfc2307
idmap config FOO : readonly = yes
idmap config FOO : range = 500 - 1999999
idmap cache time = 604800
idmap negative cache time = 20
winbind cache time = 600
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = false
Here's /etc/pam.d/password-auth-ac if that helps:
[root at happytobehere samba]# cat /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_succeed_if.so user ingroup
adm_it_sops_lessadmins_mod
auth sufficient pam_succeed_if.so user ingroup "domain admins"
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account sufficient pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
[BTW, when this does work I still see errors in syslog about accounts I know
are Domain Admins still not being recognized as members of the group
"domain," do I need to do something else to escape that space in the group
name? Maybe a backslash?]
And here's what syslog sees for an attempt via SSH:
May 31 08:11:54 happytobehere sshd[12713]: Invalid user should_work from
www.xxx.yyy.zzz May 31 08:11:54 happytobehere sshd[12716]:
input_userauth_request: invalid user should_work May 31 08:12:01
happytobehere sshd[12713]: pam_succeed_if(sshd:auth): error retrieving
information about user should_work May 31 08:12:01 happytobehere
sshd[12713]: pam_succeed_if(sshd:auth): error retrieving information about
user should_work May 31 08:12:01 happytobehere sshd[12713]:
pam_unix(sshd:auth): check pass; user unknown May 31 08:12:01 happytobehere
sshd[12713]: pam_unix(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=machineX.foo.org May 31 08:12:01 happytobehere
sshd[12713]: pam_succeed_if(sshd:auth): error retrieving information about
user should_work May 31 08:12:03 happytobehere sshd[12713]: Failed password
for invalid user should_work from www.xxx.yyy.zzz port 51602 ssh2 May 31
08:12:06 happytobehere sshd[12716]: Received disconnect from
www.xxx.yyy.zzz: 13: Unable to authenticate
Grateful for you help...
Randy Rue
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Jonathan Buzzard
Sent: Thursday, May 31, 2012 5:36 AM
To: samba at lists.samba.org
Subject: Re: [Samba] idmap backend = ad and Active Directory 2008R2
This is a working smb.conf CentOS 6.2 latest aka 3.5.10-116.el6_2.x86_6
configuration against a Windows 2008R2 domain. Note we are using GPFS as our
underlying file system and CTDB. All I have changed is the names
[global]
netbios name = NEMO
security = ads
workgroup = MYDOMAIN
realm = MYDOMAIN.MEGACORP.COM
password server = *
preferred master = no
encrypt passwords = yes
kerberos method = secrets only
# general options
vfs objects = shadow_copy2 fileid gpfs
unix extensions = no
mangled names = no
case sensitive = no
map untrusted to domain = yes
deadtime = 0
log level = 1
log file = /var/log/samba/%I.log
max log size = 100
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
SO_REUSEADDR SO_KEEPALIVE
# store DOS attributes in extended attributes (vfs_gpfs then stores them in
the file system)
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
# the ctdb clustering and GPFS stuff
clustering = yes
ctdbd socket = /tmp/ctdb.socket
fileid : algorithm = fsname
gpfs : sharemodes = yes
gpfs : winattr = yes
force unknown acl user = yes
nfs4 : mode = special
nfs4 : chown = no
nfs4 : acedup = merge
# enable shadow copies
shadow : snapdir = /nemo/.snapshots
shadow : basedir = /nemo
shadow : fixinodes = yes
# silence warnings about CUPS
printing = bsd
printcap name = /etc/printcap
load printers = yes
cups options = raw
# stuff necessary for guest logins to work where required
guest account = nobody
map to guest = bad user
# fake the dfree information to match the fileset quota if it exists
dfree cache time = 15
dfree command = /var/lib/samba/scripts/mmdfree
# deal with NSS and the whole UID/SID id mapping stuff
idmap backend = tdb
idmap uid = 2000000 - 2999999
idmap gid = 2000000 - 2999999
idmap config MYDOMAIN : backend = ad
idmap config MYDOMAIN : schema_mode = rfc2307
idmap config MYDOMAIN : readonly = yes
idmap config MYDOMAIN : range = 500 - 1999999
idmap cache time = 604800
idmap negative cache time = 20
winbind cache time = 600
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = false
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list