[Samba] Samba4 member of an another « Samba4 » domain
Gémes Géza
geza at kzsdabas.hu
Thu Apr 11 14:39:23 MDT 2013
2013-04-11 01:14 keltezéssel, François Lafont írta:
> Le 10/04/2013 06:59, Gémes Géza a écrit :
>> You should check rfc2307 on the samba AD, if your users do not have
>> uidNumber gidNumber attributes they are going to be ignored by the
>> winbind daemon if you specify rfc2307 schema mode on the domain member.
> If I have understood, when I don't use rfc2307 in the dc server (this is
> the default) and if I don't use rfc2307 in the member server with this
> config:
>
> -------------------------------------------------------------------
> # No refer to "rfc2307".
>
> [global]
> workgroup = CHEZMOI
> security = ADS
> realm = CHEZMOI.PRIV
> encrypt passwords = yes
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> -------------------------------------------------------------------
>
> It seems to work well, but the uid and the gid of the domain accounts
> are different between the dc and the member. And if I use the rfc2307,
> then it's possible to have the same uid and gid on the dc and the
> member. Is it correct ?
>
> For the moment, I don't succeed in the use "rfc2307" with a dc and a
> member. Without "rfc2307", I think It works well with:
>
> 1. For the dc:
>
> -------------------------------------------------------------------
> [global]
> workgroup = CHEZMOI
> realm = CHEZMOI.PRIV
> netbios name = WHEEZY-SERVER
> server role = active directory domain controller
> dns forwarder = 212.27.40.241
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> -------------------------------------------------------------------
>
> 2. And for the member:
>
> -------------------------------------------------------------------
> [global]
> workgroup = CHEZMOI
> security = ADS
> realm = CHEZMOI.PRIV
> encrypt passwords = yes
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> -------------------------------------------------------------------
>
> It works well (imho), but, for each account, the uid/gid are different
> between the dc and the member, and I don't like it.
>
>
> When I try to use "rfc2307", it doesn't work for me (but I should make
> mistakes). For example, I have tried this:
>
> 1. On the dc server:
>
> # samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI
> --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123'
> --use-rfc2307
>
> that creates this smb.conf:
>
> -------------------------------------------------------------------
> [global]
> workgroup = CHEZMOI
> realm = CHEZMOI.PRIV
> netbios name = WHEEZY-SERVER
> server role = active directory domain controller
> dns forwarder = 212.27.40.241
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> -------------------------------------------------------------------
>
> Next, I use winbind in nsswitch.conf in order to resolv the uid/gid -->
> names.
>
> 2. On the member, I edit this smb.conf file (found here
> https://wiki.samba.org/index.php/Samba4/Domain_Member#Setting_up_a_basic_smb.conf):
>
> -------------------------------------------------------------------
> [global]
> workgroup = CHEZMOI
> security = ADS
> realm = CHEZMOI.PRIV
> encrypt passwords = yes
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config CHEZMOI:backend = ad
> idmap config CHEZMOI:schema_mode = rfc2307
> idmap config CHEZMOI:range = 500-40000
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> -------------------------------------------------------------------
>
> and I join the server with "net ads join" (next I use winbind too in
> nsswitch.conf).
>
> Next, I create a account in the dc (samba-tool user add test1
> --random-password) and, under a Windows station, I edit this account
> with dsa.msc and I set:
> - the UID attribute in the "Unix attributes" tab
> - the GID attribute in the "Unix attributes" tab
>
> But, the dc and the member seems to ignore this value and, for example,
> with "getent passwd" the uid/gid are different for each user between the
> dc and the member.
>
> If you are advices or links to install dc and member so that the uid/gid
> are the same between the dc and the member, It interest me very much. :-)
>
> Thanks in advance.
> PS: and very sorry for my poor english.
>
The easiest way to test out rfc2307 would be to provision a new domain
with samba-tool domain provision --use-rfc2307
--the-other-options-of-your-choice, and test a rfc2307 client against
it. The difference is, that in this case the provisioning script loads a
schema file (ypServ30.ldif) which makes it easier to administer the
rfc2307 attributes using ADUC. Then join a client to the domain and see
if rfc2307 schema mode works or not. If it works, then you will probably
need to load the schema modifications and a few other entries from the
provisioning with --use-rfc2307.
BTW. I use in production a classicupgraded Samba (actually two
replicating DCs) where --use-rfc2307 is (was) enabled by default, and a
few samba 3.6 installations using rfc2307 schema mode successfully
authenticate, get account data from the AD.
Regards
Geza Gemes
More information about the samba
mailing list