[Samba] Samba AD PDC , LDAP and Single-Sign-On
Rowland Penny
rowlandpenny241155 at gmail.com
Sat Oct 10 09:18:14 UTC 2015
On 10/10/15 08:26, Mark Foley wrote:
> On Sat, 10 Oct 2015 16:07 Andrew Bartlett wrote
>
>> For the pain that you are about to endure, I can only offer my apologies.
> Apologies accepted! :) Seriously though, the Samba team has done a great job
> with the AD stuff. I was pretty much able to drop Samba4 in as a replacement
> for our SBS 2008 with virtually no issues. What issues I had were mostly
> Microsoft idiosyncracies (refer to my GPO rant to Rowland). I used the
> Slackware as-shipped Samba4, provisioned (with BIND9_FLATFILE), added users
> with RSAT ADUC and Win7 domain users were none the wiser, everything just
> worked: redirected folders, RDC, SLQ Server "Windows Authentication", etc. Good
> job!
>
> My quest to replace Micrsoft continues ...
>
> For my immediate need, I'd like someone to give me the proverial "fish" and I'll
> "learn to fish" later. Given that my AD domain users are group 100, and the AD
> users UID range is 3000000-3000099, what should my idmap config settings look
> like in the wiki-adapted 'member server' smb.conf shown below? Just tell me the
> right answer, I'll figure out why later.
>
> [global]
> netbios name = uCommon
> workgroup = HPRS
> security = ADS
> realm = HPRS.LOCAL
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = ???-???
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = ???-???
OK, lets see if I can explain this:
'idmap *' is where all the AD well-known SIDs are mapped (see
https://support.microsoft.com/en-us/kb/243330), these are pretty much
the same as Unix system users & groups
'idmap config HPRS' is where your users & groups are mapped, how they
are mapped is up to the sysadmin i.e. you.
You can use winbind with either the 'ad' or 'rid' backend, or you can
use sssd or nlscd.
The problem comes from using the 'rid' backend is that you will
definitely get different numbers on a member server (or client,
workstation, call it what you will) to the DC, now this shouldn't really
be a problem if you only use the Samba DC for authentication.
Now we come to the numbers used on the DC, for some reason, the Samba
devs decided to use numbers starting at 3000000, but then decided to
give 'Domain Users' the number 100 (this is Unix users group gid), this
was in my opinion a *bad* idea. I now hear you asking why? Well the two
ranges ('idmap config *' & 'idmap config HPRS') have to be separate
ranges that do not overlap, but there is also another range that doesn't
appear in smb.conf, this is the local users & groups that start at 0 and
your idmap ranges must not overlap this range as well and how do you do
this when 'Domain Users' has the gid of 100????
The scheme I use is simple, everything below 2000 is a local user,
2000-9999 is for the well-known SIDs and 10000 up is for AD users &
groups. Depending on which Unix distro you use, system users & groups
will either end at 499 or 999, so at the the least, my scheme gives the
possibility of a 1000 local users and as you actually don't need *any*
local users, should be sufficient. There are also only approx 100
well-known SIDs, so the next range is more than sufficient and as for
the last range, if you run out, you just raised the last number.
It is no use giving every user a unique uidNumber, unless you also give
'Domain Users' a gidNumber, winbind will not work until you do. Also
what ever numbers you use, they must all be inside whatever range you
set in 'idmap config HPRS', anything outside the range is ignored i.e.
if the range is 10000-99999 and a user has the uidNumber of 1000 it will
be ignored as an AD user, but here is the one that gets most people, if
you give 'Domain Users' the gidNumber of 100 (as on the DC), it will be
ignored and if 'Domain Users' is ignored, all other users and groups
will be ignored!
All of the above only has reference to a 'member server', idmap works
differently on an AD DC (i.e. as I said, Domain Users gets set to 100
even though it probably shouldn't)
HTH
Rowland
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
>
> [demoshare]
> path = /srv/samba/test
> read only = no
>
>
> Thanks, --Mark
>
> -----Original Message-----
>> From: Andrew Bartlett <abartlet at samba.org>
>> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
>> Date: Sat, 10 Oct 2015 16:07:22 +1300
>> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>>
>> On Fri, 2015-10-09 at 21:08 -0400, Mark Foley wrote:
>>> Thanks again for your quick reply ...
>>> Frankly, even after reading the
>>> https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html wiki, I
>>> don't
>>> really get the differentiation between 'idmap config *' and 'idmap
>>> config DOMAIN'
>>>
>>> Do I have to have something similar on the AD/DC? Right now, there
>>> are no idmap
>>> statements in that smb.conf.
>>>
>>> Thanks for your time (and patience), --Mark
>>
More information about the samba
mailing list