[Samba] Making Linux and domain users the same

Tris Mabbs TM-Samba201302 at Firstgrade.Co.UK
Sat Mar 2 12:43:58 MST 2013 

Hiya,

Your output shows:

> $ ls -n
> total 4
> -rw-r--r-- 1    12903      100 3 Mar  2 03:40 File_Created_In_Linux
> -rwxrw-rw- 1 16777217 16777216 3 Mar  1 13:12 File_Created_In_Windows

And:

> [global]
>         idmap uid = 16777216-33554431

So your "joe" user is picking up an "IDMAP"ped UID.  That's expected behaviour unless Samba is told any other way to map the name to a Unix UID - it needs to get that information from somewhere.

This should work when you can get "wbinfo --uid-info 12903" to give you sensible looking information for your "joe" user.

How do you get to that stage?

Well, someone who knows Samba better than I do (so just about anyone ...) can probably correct this, and doubtless say "Good grief, don't do it like THAT!", but what we use is:

"smb.conf":
        passdb backend = tdbsam

        idmap config MYDOMAIN : backend = ad
        idmap config MYDOMAIN : range = 100-999999
        idmap config MYDOMAIN : schema_mode = rfc2307
        idmap config MYDOMAIN : default = yes
        idmap config * : backend = tdb
        idmap config * : range = 1000000-1999999

        map untrusted to domain = yes

        ldap ssl = no
        ldapsam:trusted = yes
        ldapsam:editposix = yes
        # DN used to contact LDAP server.
        # MUST HAVE PASSWORD SET IN "secrets.tdb" (using "smbpasswd -W")!
        ldap admin dn = CN=LDAP_access_user,CN=Users,DC=MYDOMAIN,DC=COM
        # Set the LDAP connection timeout (allowing for slow responses).
        ldap connection timeout = 60
        # LDAP information.
        ldap suffix = DC=MYDOMAIN,DC=COM
        ldap user suffix = OU=Users
        ldap group suffix = OU=Groups
        ldap machine suffix = OU=Computers
        ldap idmap suffix = OU=Idmap

(obviously replace the "DC=MYDOMAIN,DC=COM" type bits with your own information).

You'll then need a user, "LDAP_access_user" in my example, who has read access to LDAP.  Set their password on your Samba server using "smbpasswd -W" (so "smbpasswd" knows how to authenticate as that user).
Then make sure you have "Identity services for Unix" (or whatever it's called on whichever version of "Windows Server" you're using on your PDC - Primary Domain Controller - your AD server(s)) installed.
Then, in the user-properties ("Active Directory Users and Computers") you'll have a bunch of Unix settings you can specify.  These will include UID, GID, home directory, shell, etc.

You can do it without loading "Identity Services for Unix", but it means potentially going in and editing the LDAP information (not recommended unless you know what you're doing), and possibly even the LDAP schema (really not recommended unless ...).  "Identity Services for Unix" sets all that up for you and gives you a nice, easy way to access the appropriate LDAP objects, in the RFC2307 schema.

This is just one way to configure this, with an LDAP connection (NOT using SSL in our case, as it's completely inside a multiply firewalled network with users who aren't going to poke LDAP themselves - I haven't been bothered to set up the certificates etc. required for an SSL LDAP session so you need to be aware that what I've listed above uses unencrypted LDAP queries!  Oh, you may need to enable that on your PDC as it might be disabled, depending on how you currently have it configured - there's M$ documentation that's easy to find about how to do that).  When an ID mapping is required, an LDAP query is made to find the RFC2307 schema Unix information in AD; that's then used to provide the information to Samba.

This does have a few "Gotcha!"s to be aware of:
1) That configuration is from a "Samba 4" "smb.conf" file.  Your mileage may vary depending on what version of Samba you're running.
2) It uses unencrypted LDAP queries.  Yes, I know I've already mentioned that but it is a very important point.
3) It uses " map untrusted to domain = yes" - that's appropriate for the setup I'm running but you will want to check the documentation as to whether or not that's appropriate, or required, for your network.
4) You may need to disable VLV (Volume Level View) queries on your LDAP (AD) server.  That may or may not be a problem; it probably will be if you're running "Exchange 2010".  Beware ...
5) This is just one approach, which I threw together to meet our specific needs.  There are undoubtedly better ways to do this!
6) DON'T JUST BLINDLY COPY THAT INFORMATION, READ THE APPROPRIATE DOCUMENTATION AND MAKE SURE YOU UNDERSTAND WHAT IS BEING CONFIGURED!  I mean, that's just plain common-sense anyway - don't blindly take my, or anyone else', word for how you should configure anything ...  And don't blame me if it goes wrong :-)

There is quite a bit of documentation on the Samba pages about how to do this sort of thing - you should check them first/as well.  Hopefully this might at least point you in the right direction and give you a suitable starting point.

Good luck :-)

Tris.

Ps.  If you're stuck using NIS with your old Slowlaris machine, you might find "Identity Services for Unix" particularly useful anyway until you can transition away from your old box as it integrates with NIS and can even act as a NIS server, if you *really* want it to ...

More information about the samba mailing list