[Samba] Samba 4 / idmap / NIS / winbind

Rowland Penny rowlandpenny at googlemail.com
Mon Jun 9 05:25:35 MDT 2014 

On 09/06/14 11:57, Vogel, Sven wrote:
> @Rowland and @Steve
>
> Choclate fire guard... :) you wrote own scripts to add the rfc2307 information to the users?

Yes, several versions, lately I am using a set of scripts based on 
ldapscripts but using the ldbtools instead.

>
> I know SLES is not the best. It was not my decision. I use mostly redhat/centos. I will try sssd. Maybe thats the best choice for connection to the ad.
RHEL is know for being very stable, this is down to not being very 
uptodate, SLES should be very very stable, after all it is based on an 
even older base ;-)

>
> Maybe it is not correct but when you read on this side. Below....
> http://technet.microsoft.com/en-us/library/dn303411.aspx
>
> The Server for Network Information Service (NIS) is deprecated. This includes the associated administration tools in Remote Server Administration Tools (RSAT). Use native LDAP, Samba Client, Kerberos, or non-Microsoft options.
>
> I dont know maybe they mean other things. Steve what do you think?

I personally think that it means that they have shot themselves in the 
foot. I do not think that Samba will ever drop being able to connect to 
Unix systems, so the RFC2307 attributes will always be available and if 
microsoft try to stop them being added to AD, then they will probably 
get clobbered by the European union again, just like they did with IE.

What it does mean is that Unix GUI tools need to be written to work like 
ADUC does now, not everybody wants to work at the cli and sometimes it 
is just easier to use a GUI.

Rowland


>
> Greetings thanks...
>
> Sven
>
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
> Gesendet: Sonntag, 8. Juni 2014 23:53
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Samba 4 / idmap / NIS / winbind
>
> On 08/06/14 22:25, Vogel, Sven wrote:
>> Thanks for the help
>>
>> @Rowland
>>
>> I tried these but it dont work form e. i think Steve said it right that i need an sssd when i am on the domain controller itself.
> Your original post was a bit narrow and adding to the smb.conf will work for the samba4 server, but is as much use a chocolate fire-guard for other machines in the domain. This is where sssd and using RFC2307 attributes come into their own.
>
>> @Steve
>>
>> I will try it. You wrote on DC. Whats when i am not on a DC?
> You can also use sssd on other machines, there is also winbind, nlscd etc, I suggest that you read the wiki and take your choice.
>
>> I can add them with samba tool but i dont modify them with it. I saw that in 2012 microsoft removed the unix tab. So the best way will be use the shell. Therefore the only way is ldbedit or ldbmodify. What do you think?
> Yes this would be the easiest way, but you will probably find it easiest to write some scripts round the ldb-tools, that what I did anyway.
>
>> @Nico
>>
>> Base OS is SLES 11 SP3.
> Ah, that fine server OS, based on fossilised remains I believe ;-)
>
> Rowland
>
>> Greeting
>>
>> Sven
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland Penny
>> Gesendet: Samstag, 7. Juni 2014 22:35
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] Samba 4 / idmap / NIS / winbind
>>
>> On 07/06/14 21:31, Vogel, Sven wrote:
>>> Hi,
>>>
>>> how can i get work Samba 4 Sernet 4.1.7 correctly with NIS. Ist provisioned with rfc2307.
>>>
>>> When i query a User withi get the following.
>>> 	
>>> getent passwd testswi
>>> SWI\testswi:*:10000:100:testswi:/home/SWI/testswi:/bin/false
>>>
>>> I want to change /bin/false to a other value /bin/bash
>>>
>>> I tried many things to change the value.
>>>
>>> 1. ldbedit -e vim -H /var/lib/samba/private/sam.ldb
>>> samaccountname=testswi i added  "loginShell = /bin/bash" and got
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> ------------------------------------------------------
>>> # record 1
>>> dn: CN=testswi,OU=Benutzer,OU=SWI,DC=swi,DC=local
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: testswi
>>> givenName: testswi
>>> instanceType: 4
>>> whenCreated: 20140530142421.0Z
>>> displayName: testswi
>>> uSNCreated: 12359
>>> name: testswi
>>> objectGUID: d6ebbae7-8ec0-4a89-828d-58c10a7c9f99
>>> userAccountControl: 66048
>>> codePage: 0
>>> countryCode: 0
>>> pwdLastSet: 130459334610000000
>>> primaryGroupID: 513
>>> objectSid: S-1-5-21-1143642306-2581635645-836595807-1605
>>> accountExpires: 9223372036854775807
>>> sAMAccountName: testswi
>>> sAMAccountType: 805306368
>>> userPrincipalName: testswi at swi.local
>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=swi,DC=local
>>> loginShell: /bin/bash
>>> whenChanged: 20140605153458.0Z
>>> uSNChanged: 13969
>>> distinguishedName: CN=testswi,OU=Benutzer,OU=SWI,DC=swi,DC=local
>>> ---------------------------------------------------------------------
>>> -
>>> ------------------------------------------------------
>>>
>>> nothing changed always /bin/false when i use getent passwd ...
>>>
>>> 2. i tried the the Windows Remote Administration Tools and the Unix
>>> tab in Windows
>>>
>>> I added NIS Domain, UID, GID, home and login shell but also nothing
>>> changed... i got the following
>>>
>>> # record 1
>>> dn: CN=testswi,OU=Benutzer,OU=SWI,DC=swi,DC=local
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: testswi
>>> givenName: testswi
>>> instanceType: 4
>>> whenCreated: 20140530142421.0Z
>>> displayName: testswi
>>> uSNCreated: 12359
>>> name: testswi
>>> objectGUID: d6ebbae7-8ec0-4a89-828d-58c10a7c9f99
>>> userAccountControl: 66048
>>> codePage: 0
>>> countryCode: 0
>>> pwdLastSet: 130459334610000000
>>> primaryGroupID: 513
>>> objectSid: S-1-5-21-1143642306-2581635645-836595807-1605
>>> accountExpires: 9223372036854775807
>>> sAMAccountName: testswi
>>> sAMAccountType: 805306368
>>> userPrincipalName: testswi at swi.local
>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=swi,DC=local
>>> loginShell: /bin/bash
>>> whenChanged: 20140607194437.0Z
>>> uSNChanged: 14355
>>> unixUserPassword: ABCD!efgh12345$67890
>>> uid: testswi
>>> msSFU30Name: testswi
>>> msSFU30NisDomain: swi
>>> uidNumber: 10000
>>> gidNumber: 100
>>> unixHomeDirectory: /home/testswi
>>> distinguishedName: CN=testswi,OU=Benutzer,OU=SWI,DC=swi,DC=local
>>>
>>> when i use getent passwd testswi i always get the same as above.
>>> /bin/false
>>>
>>> Questions.
>>>
>>> Is that a problem from winbind in samba 4 that not all thing will
>>> correctly set or supported? W
>>>
>>> Where get getent passwd ... the information from? I know ist winbind but whats wrong?
>>>
>>> I read about some user they use sssd or nlcd. Is that the solution for samba 4?
>>>
>>> I am confused. Anyone who can explain that?
>>>
>>> Thanks for help
>>>
>>> Sven Vogel
>>>
>>>
>> HI, add 'template shell = /bin/bash' to smb.conf and restart samba, or add the required RFC2307 attributes to the users and groups.
>>
>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list