[Samba] Samba AD PDC , LDAP and Single-Sign-On

Rowland Penny rowlandpenny241155 at gmail.com
Sat Oct 10 09:18:14 UTC 2015 

On 10/10/15 08:26, Mark Foley wrote:
> On Sat, 10 Oct 2015 16:07 Andrew Bartlett wrote
>
>> For the pain that you are about to endure, I can only offer my apologies.
> Apologies accepted! :) Seriously though, the Samba team has done a great job
> with the AD stuff.  I was pretty much able to drop Samba4 in as a replacement
> for our SBS 2008 with virtually no issues.  What issues I had were mostly
> Microsoft idiosyncracies (refer to my GPO rant to Rowland).  I used the
> Slackware as-shipped Samba4, provisioned (with BIND9_FLATFILE), added users
> with RSAT ADUC and Win7 domain users were none the wiser, everything just
> worked: redirected folders, RDC, SLQ Server "Windows Authentication", etc.  Good
> job!
>
> My quest to replace Micrsoft continues ...
>
> For my immediate need, I'd like someone to give me the proverial "fish" and I'll
> "learn to fish" later. Given that my AD domain users are group 100, and the AD
> users UID range is 3000000-3000099, what should my idmap config settings look
> like in the wiki-adapted 'member server' smb.conf shown below? Just tell me the
> right answer, I'll figure out why later.
>
> [global]
>    netbios name = uCommon
>    workgroup = HPRS
>    security = ADS
>    realm = HPRS.LOCAL
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    idmap config *:backend = tdb
>    idmap config *:range = ???-???
>    idmap config HPRS:backend = ad
>    idmap config HPRS:schema_mode = rfc2307
>    idmap config HPRS:range = ???-???

OK, lets see if I can explain this:

'idmap *' is where all the AD well-known SIDs are mapped (see 
https://support.microsoft.com/en-us/kb/243330), these are pretty much 
the same as Unix system users & groups

'idmap config HPRS' is where your users & groups are mapped, how they 
are mapped is up to the sysadmin i.e. you.
You can use winbind with either the 'ad' or 'rid' backend, or you can 
use sssd or nlscd.

The problem comes from using the 'rid' backend is that you will 
definitely get different numbers on a member server (or client, 
workstation, call it what you will) to the DC, now this shouldn't really 
be a problem if you only use the Samba DC for authentication.

Now we come to the numbers used on the DC, for some reason, the Samba 
devs decided to use numbers starting at 3000000, but then decided to 
give 'Domain Users' the number 100 (this is Unix users group gid), this 
was in my opinion a *bad* idea. I now hear you asking why? Well the two 
ranges ('idmap config *' & 'idmap config HPRS') have to be separate 
ranges that do not overlap, but there is also another range that doesn't 
appear in smb.conf, this is the local users & groups that start at 0 and 
your idmap ranges must not overlap this range as well and how do you do 
this when 'Domain Users' has the gid of 100????
The scheme I use is simple, everything below 2000 is a local user, 
2000-9999 is for the well-known SIDs and 10000 up is for AD users & 
groups. Depending on which Unix distro you use, system users & groups 
will either end at 499 or 999, so at the the least, my scheme gives the 
possibility of a 1000 local users and as you actually don't need *any* 
local users, should be sufficient. There are also only approx 100 
well-known SIDs, so the next range is more than sufficient and as for 
the last range, if you run out, you just raised the last number.

It is no use giving every user a unique uidNumber, unless you also give 
'Domain Users' a gidNumber, winbind will not work until you do. Also 
what ever numbers you use, they must all be inside whatever range you 
set in 'idmap config HPRS', anything outside the range is ignored i.e. 
if the range is 10000-99999 and a user has the uidNumber of 1000 it will 
be ignored as an AD user, but here is the one that gets most people, if 
you give 'Domain Users' the gidNumber of 100 (as on the DC), it will be 
ignored and if 'Domain Users' is ignored, all other users and groups 
will be ignored!

All of the above only has reference to a 'member server', idmap works 
differently on an AD DC (i.e. as I said, Domain Users gets set to 100 
even though it probably shouldn't)

HTH

Rowland

>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
>
> [demoshare]
>    path = /srv/samba/test
>    read only = no
>
>
> Thanks, --Mark
>
> -----Original Message-----
>> From: Andrew Bartlett <abartlet at samba.org>
>> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
>> Date: Sat, 10 Oct 2015 16:07:22 +1300
>> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>>
>> On Fri, 2015-10-09 at 21:08 -0400, Mark Foley wrote:
>>> Thanks again for your quick reply ...
>>> Frankly, even after reading the
>>> https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html wiki, I
>>> don't
>>> really get the differentiation between 'idmap config *' and 'idmap
>>> config DOMAIN'
>>>
>>> Do I have to have something similar on the AD/DC? Right now, there
>>> are no idmap
>>> statements in that smb.conf.
>>>
>>> Thanks for your time (and patience), --Mark
>>

More information about the samba mailing list