[Samba] Samba AD PDC , LDAP and Single-Sign-On

Mark Foley mfoley at ohprs.org
Sun Oct 11 05:46:04 UTC 2015 

On Sat, 10 Oct 2015 10:18 Rowland Penny wrote

> ... the two ranges ('idmap config *' & 'idmap config HPRS') have to be separate
> ranges that do not overlap, but there is also another range that doesn't appear
> in smb.conf, this is the local users & groups that start at 0 and your idmap
> ranges must not overlap this range as well and how do you do this when 'Domain
> Users' has the gid of 100????

So, having AD users in GID 100 is a problem - I'll have overlap.

> It is no use giving every user a unique uidNumber, unless you also give 'Domain
> Users' a gidNumber, winbind will not work until you do.  Also what ever numbers
> you use, they must all be inside whatever range you set in 'idmap config HPRS',
> anything outside the range is ignored ...  here is the one that gets most
> people, if you give 'Domain Users' the gidNumber of 100 (as on the DC), it will
> be ignored and if 'Domain Users' is ignored, all other users and groups will be
> ignored!

Therefore, I will change the GID for AD users to 10000. While I'm at it, I'll
change the AD users UID range to 10000-99999. So, my idmap configs will look
basically like the wiki example:

idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-99999

It's not a big deal to change the file ownerships on the AD/DC, but I also need
to change Samba to use these new IDs so that when folders are created in
/redirectedFolders (while still using Windows) the are created with the correct
GID and UID. I suppose that means wbinfo will have to return, e.g.:

$ wbinfo -i mark
HPRS\mark:*:10026:10000:Mark Foley:/home/HPRS/mark:/bin/false

instead of 3000026:100.

Furthermore, new users created with RSAT ADUAC will have to be created with
group 10000 and UIDs 100xx.

How do I do that?

--Mark

-----Original Message-----
> Date: Sat, 10 Oct 2015 10:18:14 +0100
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>
> On 10/10/15 08:26, Mark Foley wrote:
> > On Sat, 10 Oct 2015 16:07 Andrew Bartlett wrote
> >
> >> For the pain that you are about to endure, I can only offer my apologies.
> > Apologies accepted! :) Seriously though, the Samba team has done a great job
> > with the AD stuff.  I was pretty much able to drop Samba4 in as a replacement
> > for our SBS 2008 with virtually no issues.  What issues I had were mostly
> > Microsoft idiosyncracies (refer to my GPO rant to Rowland).  I used the
> > Slackware as-shipped Samba4, provisioned (with BIND9_FLATFILE), added users
> > with RSAT ADUC and Win7 domain users were none the wiser, everything just
> > worked: redirected folders, RDC, SLQ Server "Windows Authentication", etc.  Good
> > job!
> >
> > My quest to replace Micrsoft continues ...
> >
> > For my immediate need, I'd like someone to give me the proverial "fish" and I'll
> > "learn to fish" later. Given that my AD domain users are group 100, and the AD
> > users UID range is 3000000-3000099, what should my idmap config settings look
> > like in the wiki-adapted 'member server' smb.conf shown below? Just tell me the
> > right answer, I'll figure out why later.
> >
> > [global]
> >    netbios name = uCommon
> >    workgroup = HPRS
> >    security = ADS
> >    realm = HPRS.LOCAL
> >    dedicated keytab file = /etc/krb5.keytab
> >    kerberos method = secrets and keytab
> >
> >    idmap config *:backend = tdb
> >    idmap config *:range = ???-???
> >    idmap config HPRS:backend = ad
> >    idmap config HPRS:schema_mode = rfc2307
> >    idmap config HPRS:range = ???-???
>
> OK, lets see if I can explain this:
>
> 'idmap *' is where all the AD well-known SIDs are mapped (see 
> https://support.microsoft.com/en-us/kb/243330), these are pretty much 
> the same as Unix system users & groups
>
> 'idmap config HPRS' is where your users & groups are mapped, how they 
> are mapped is up to the sysadmin i.e. you.
> You can use winbind with either the 'ad' or 'rid' backend, or you can 
> use sssd or nlscd.
>
> The problem comes from using the 'rid' backend is that you will 
> definitely get different numbers on a member server (or client, 
> workstation, call it what you will) to the DC, now this shouldn't really 
> be a problem if you only use the Samba DC for authentication.
>
> Now we come to the numbers used on the DC, for some reason, the Samba 
> devs decided to use numbers starting at 3000000, but then decided to 
> give 'Domain Users' the number 100 (this is Unix users group gid), this 
> was in my opinion a *bad* idea. I now hear you asking why? Well the two 
> ranges ('idmap config *' & 'idmap config HPRS') have to be separate 
> ranges that do not overlap, but there is also another range that doesn't 
> appear in smb.conf, this is the local users & groups that start at 0 and 
> your idmap ranges must not overlap this range as well and how do you do 
> this when 'Domain Users' has the gid of 100????
> The scheme I use is simple, everything below 2000 is a local user, 
> 2000-9999 is for the well-known SIDs and 10000 up is for AD users & 
> groups. Depending on which Unix distro you use, system users & groups 
> will either end at 499 or 999, so at the the least, my scheme gives the 
> possibility of a 1000 local users and as you actually don't need *any* 
> local users, should be sufficient. There are also only approx 100 
> well-known SIDs, so the next range is more than sufficient and as for 
> the last range, if you run out, you just raised the last number.
>
> It is no use giving every user a unique uidNumber, unless you also give 
> 'Domain Users' a gidNumber, winbind will not work until you do. Also 
> what ever numbers you use, they must all be inside whatever range you 
> set in 'idmap config HPRS', anything outside the range is ignored i.e. 
> if the range is 10000-99999 and a user has the uidNumber of 1000 it will 
> be ignored as an AD user, but here is the one that gets most people, if 
> you give 'Domain Users' the gidNumber of 100 (as on the DC), it will be 
> ignored and if 'Domain Users' is ignored, all other users and groups 
> will be ignored!
>
> All of the above only has reference to a 'member server', idmap works 
> differently on an AD DC (i.e. as I said, Domain Users gets set to 100 
> even though it probably shouldn't)
>
> HTH
>
> Rowland
>
> >
> >    winbind nss info = rfc2307
> >    winbind trusted domains only = no
> >    winbind use default domain = yes
> >    winbind enum users  = yes
> >    winbind enum groups = yes
> >    winbind refresh tickets = Yes
> >
> > [demoshare]
> >    path = /srv/samba/test
> >    read only = no
> >
> >
> > Thanks, --Mark
> >
> > -----Original Message-----
> >> From: Andrew Bartlett <abartlet at samba.org>
> >> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
> >> Date: Sat, 10 Oct 2015 16:07:22 +1300
> >> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
> >>
> >> On Fri, 2015-10-09 at 21:08 -0400, Mark Foley wrote:
> >>> Thanks again for your quick reply ...
> >>> Frankly, even after reading the
> >>> https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html wiki, I
> >>> don't
> >>> really get the differentiation between 'idmap config *' and 'idmap
> >>> config DOMAIN'
> >>>
> >>> Do I have to have something similar on the AD/DC? Right now, there
> >>> are no idmap
> >>> statements in that smb.conf.
> >>>
> >>> Thanks for your time (and patience), --Mark
> >>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list