[Samba] Samba AD PDC , LDAP and Single-Sign-On

Mark Foley mfoley at ohprs.org
Fri Oct 9 17:09:46 UTC 2015 

Rowland - thanks for your reply. I did send a message after this one you
responded to with several other questions, but I'll pursue questioning on
GID/UID in this reply as that is what you've mainly discussed. But, please check
out that next email for other questions. Thanks.

For a particular domain user in the AD, wbinfo gives:

$ wbinfo -i mark
HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false

Main question: what should the range settings be in my client smb.conf? Or, are
these really bad GID/UIDs to use and I should change them?

Background: why do I have these GID(100) UIDs(300000xx)? The answer is that I
created domain users on the AD via RSAT > Active Directory Users and Computers.
These are apparently the GID and UID range assigned by default. The ADUC >
username > properties > Unix Attributes, UID and GID fields are blank, so I
guess 100:30000xx are picked by default.

Can I work with what I have or should I change these?

There are no other actual local users on either the AD or client aside from me
(100:1000 mfoley) other than the built-in accounts (root, bin, daemon, adm, lp
...) and services accounts (dovecot, spamd, mysql, ...).  No other actual local
users. 

How do you recomend I proceed with my idmap range configuration?

--Mark

-----Original Message-----
> Date: Fri, 09 Oct 2015 09:12:31 +0100
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>
> On 08/10/15 23:24, Mark Foley wrote:
> > On Thu, 08 Oct 2015 21:52 Rowland Penny wrote:
> >
> >> What you cannot do is use GPO's like windows does, everything else is
> >> possible, you just need to setup the clients correctly.
> > Excellent! I've been messing around with GPOs on Windows AD domains for years,
> > more extensively this past year with Samba4 AD/DC and I absolutely hate them.
> > In my opinion they are yet another attempt by Microsoft to shore up a
> > fundamentally insecure OS.  I have yet to find a GPO that would be worthwhile in
> > Linux.  "Trust Center"? Gee, can't execute macros in Linux that run as root -
> > don't need that.  "Remote Desktop GPO"? How about VNC.  I've got more, lots
> > more, but I'll stop.  If you can give me an example of one GPO that would be
> > useful in Linux I'll moderate my position.  Sorry to get on a rant, but if we do
> > manage to convert away from Windows, I say "good riddance" to GPOs!
> >
> >> There is a page on the Samba wiki that purports to be for a member
> >> server, well, in my opinion, it is just the basic setup and you would
> >> need to extend it to make it a proper member server, you can also use
> >> this basic setup for a workstation.
> >>
> >> Most, if not all, of the information you require is on the wiki and you
> >> only have to ask here about any gaps you find.
> > That's great!!! I've been searching for that particular wiki for a couple of
> > months now without success.  Can you point me to it? Are you referring to
> > Sketch's link?
> >
> > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Yes that is the page, but what you have to understand is that a proper 
> 'member server' is just a Unix client on steroids :-D
>
> If you follow that wiki page, you will end up with a Unix client just 
> like this one I am typing this on. The wiki page shows how to use the 
> 'ad' backend, with this you need to add 'uidNumber' & 'gidNumber' 
> attributes to your users & groups in AD, but you could use the 'rid' 
> backend instead and not need to add anything.
> The ranges shown on the wiki page '2000-9999' & '10000-99999' were 
> chosen because you need to have somewhere to store the well-known RIDs 
> and your users & groups. The lower range was chosen for the well-known 
> RIDs because:
> A) there are only approx 100 of them at present'
> B) the chosen range will allow a small amount of local users (not that 
> you actually need local users) to fix things if connection to the domain 
> is broken.
> The upper range was chosen because '10000' is where ADUC starts from and 
> '99999' allows for the number to be raised i.e. you could add another '9'
>
> How do I know all this? simple, it is my basic smb.conf :-)
>
> Once you have the basic smb.conf and the workstation joined to the 
> domain, you could, if you wish, upgrade the workstation to a proper 
> member server (by adding the profiles stanza) or a fileserver by adding 
> shares, or a print server, I think you get the drift by now.
>
> You can do more, the info (hopefully) is on the wiki and if it isn't, 
> ask here, there are no stupid questions :-)
>
> Rowland
>
> >
> > --Mark
> >
> > -----Original Message-----
> >> Date: Thu, 08 Oct 2015 21:52:04 +0100
> >> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> >> To: samba at lists.samba.org
> >> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
> >>
> >> On 08/10/15 21:17, Mark Foley wrote:
> >>> On Oct 8 2015 09:32 Rowlan Penny wrote:
> >>>
> >>>> It might help if you were to explain just what you require from single-sign-on ?
> >>> Well, perhaps I'm mistaken, but is this not the #1 reason to install Samba4?
> >>>   From reading this list over the past couple of months it does not seem that
> >>> Authenticating users on Windows workstations is the main thing people do.  But,
> >>> is not the ability to authenticate user logins from any (Linux or Windows)
> >>> workstation in the domain the chief purpose of Samab4? If not, please straighten
> >>> me out.  What's it good for?
> >>>
> >>> As to what *I* require, scenario: I am sitting at a linux workstation on our
> >>> office network, any linux workstation, not just the one in *my* office.  I have
> >>> a login prompt.  I don't have a specific local account configured in /etc/passwd
> >>> on this particular workstation.  I log in using my ID/PW which is authenticated
> >>> centrally (presumably via the Samba4 AD/DC), and I'm logged in! I'm not quite sure
> >>> where I'm logged into yet, but I'll cross that bridge when I come to it.
> >>>
> >>> In Windows, using Samba4 AD/DC, this is a snap.  I just join the domain via
> >>> Start > Computer > Properties > Advanced System Settings > Computer Name >
> >>> Change, and click 'Domain'.  I have to fill in the domain name, enter the Domain
> >>> Administrator credentials and I'm done.  Now, any domain user can log into any
> >>> Windows workstation anywhere on the domain.
> >>>
> >>> That's basically what I want to do with Linux workstations. I need to sort this
> >>> out because we are looking at replacing Windows workstations with Linux
> >>> workstations.
> >>>
> >>> I will investigate the recommendations posted by L.P.H. van Belle and Guilherme
> >>> Boing and see if I can make some headway.
> >>>
> >>>> Date: Thu, 08 Oct 2015 09:32:31 +0100
> >>>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> >>>> To: samba at lists.samba.org
> >>>> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
> >>>>
> >>>> On 08/10/15 04:16, Mark Foley wrote:
> >>>>> I'm very confused. I have a Samba4 AD/DC which works great for Windows
> >>>>> Authentication with our Windows 7 workstations.
> >>>>>
> >>>>> Now, I am trying to implement single-sign-on for our coming-soon Linux workstations.
> >>>> It might help if you were to explain just what you require from
> >>>> single-sign-on ?
> >>>>
> >>>> Rowland
> >>>>
> >>>>> All web documentation I've so far found on this references OpenLDAP as the server
> >>>>> and describes server-side commands such as kadmin and slapd-config to get things
> >>>>> set up on the server-side (e.g. https://help.ubuntu.com/community/SingleSignOn)
> >>>>> which don't exist on the Samba4 AD/DC.
> >>>>>
> >>>>> Samaba4 apparently has it's own LDAP (Heimdal?) implementation.  Does this mean
> >>>>> everything should "just work" with LDAP clients and I need do no further
> >>>>> server-side configuration? Or does it mean, "sorry, you can't do LDAP
> >>>>> Authentication with Samba4."
> >>>>>
> >>>>> Please clarify so I can make some decisions.
> >>>>>
> >>>>> btw - the following command *does* work from a Linux client on the network:
> >>>>>
> >>>>> ldapsearch -xLLL -H ldap://mail:389 -D "cn=Administrator,CN=Users,dc=HPRS,dc=local" -W -b "dc=HPRS,dc=local"
> >>>>>
> >>>>> --Mark
> >>>>>
> >>>>>
> >>>>>
> >>>> -- 
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >> So, you want to use a Linux computer just like a windows computer, well
> >> you can and you can't :-)
> >>
> >> What you cannot do is use GPO's like windows does, everything else is
> >> possible, you just need to setup the clients correctly.
> >>
> >> The first thing you need to understand is there is only one basic way to
> >> setup Samba in an AD domain, it is what you do with Samba after this
> >> that defines what it will be used for.
> >> There is a page on the Samba wiki that purports to be for a member
> >> server, well, in my opinion, it is just the basic setup and you would
> >> need to extend it to make it a proper member server, you can also use
> >> this basic setup for a workstation.
> >>
> >> Most, if not all, of the information you require is on the wiki and you
> >> only have to ask here about any gaps you find.
> >>
> >> Rowland
> >>
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list