[Samba] Samba AD PDC , LDAP and Single-Sign-On

Sun Oct 11 08:50:13 UTC 2015

On 11/10/15 06:46, Mark Foley wrote:
> On Sat, 10 Oct 2015 10:18 Rowland Penny wrote
>
>> ... the two ranges ('idmap config *' & 'idmap config HPRS') have to be separate
>> ranges that do not overlap, but there is also another range that doesn't appear
>> in smb.conf, this is the local users & groups that start at 0 and your idmap
>> ranges must not overlap this range as well and how do you do this when 'Domain
>> Users' has the gid of 100????
> So, having AD users in GID 100 is a problem - I'll have overlap.

No, just give Domain Users a gidNumber that isn't 100 and is inside your 
range.

>
>> It is no use giving every user a unique uidNumber, unless you also give 'Domain
>> Users' a gidNumber, winbind will not work until you do.  Also what ever numbers
>> you use, they must all be inside whatever range you set in 'idmap config HPRS',
>> anything outside the range is ignored ...  here is the one that gets most
>> people, if you give 'Domain Users' the gidNumber of 100 (as on the DC), it will
>> be ignored and if 'Domain Users' is ignored, all other users and groups will be
>> ignored!
> Therefore, I will change the GID for AD users to 10000. While I'm at it, I'll
> change the AD users UID range to 10000-99999. So, my idmap configs will look
> basically like the wiki example:
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = 10000-99999
>
> It's not a big deal to change the file ownerships on the AD/DC, but I also need
> to change Samba to use these new IDs so that when folders are created in
> /redirectedFolders (while still using Windows) the are created with the correct
> GID and UID. I suppose that means wbinfo will have to return, e.g.:
>
> $ wbinfo -i mark
> HPRS\mark:*:10026:10000:Mark Foley:/home/HPRS/mark:/bin/false
>
> instead of 3000026:100.

wbinfo goes direct to winbind bypassing everything else, you *need* to 
use 'getent passwd mark' instead, until this returns the same info as 
wbinfo -i, you will not get anywhere until it does. If you do use the 
winbind 'ad' backend with the required uidNumber & gidNumber attributes, 
you will get the same results everywhere:

root at dc01:~# getent passwd rowland
HOME\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

rowland at debnet:~$ getent passwd rowland
rowland:*:10000:10000::/home/rowland:/bin/bash

>
> Furthermore, new users created with RSAT ADUAC will have to be created with
> group 10000 and UIDs 100xx.
>
> How do I do that?

I will send this to you offlist

Rowland

> --Mark
>
> -----Original Message-----
>> Date: Sat, 10 Oct 2015 10:18:14 +0100
>> From: Rowland Penny <rowlandpenny241155 at gmail.com>
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>>
>> On 10/10/15 08:26, Mark Foley wrote:
>>> On Sat, 10 Oct 2015 16:07 Andrew Bartlett wrote
>>>
>>>> For the pain that you are about to endure, I can only offer my apologies.
>>> Apologies accepted! :) Seriously though, the Samba team has done a great job
>>> with the AD stuff.  I was pretty much able to drop Samba4 in as a replacement
>>> for our SBS 2008 with virtually no issues.  What issues I had were mostly
>>> Microsoft idiosyncracies (refer to my GPO rant to Rowland).  I used the
>>> Slackware as-shipped Samba4, provisioned (with BIND9_FLATFILE), added users
>>> with RSAT ADUC and Win7 domain users were none the wiser, everything just
>>> worked: redirected folders, RDC, SLQ Server "Windows Authentication", etc.  Good
>>> job!
>>>
>>> My quest to replace Micrsoft continues ...
>>>
>>> For my immediate need, I'd like someone to give me the proverial "fish" and I'll
>>> "learn to fish" later. Given that my AD domain users are group 100, and the AD
>>> users UID range is 3000000-3000099, what should my idmap config settings look
>>> like in the wiki-adapted 'member server' smb.conf shown below? Just tell me the
>>> right answer, I'll figure out why later.
>>>
>>> [global]
>>>     netbios name = uCommon
>>>     workgroup = HPRS
>>>     security = ADS
>>>     realm = HPRS.LOCAL
>>>     dedicated keytab file = /etc/krb5.keytab
>>>     kerberos method = secrets and keytab
>>>
>>>     idmap config *:backend = tdb
>>>     idmap config *:range = ???-???
>>>     idmap config HPRS:backend = ad
>>>     idmap config HPRS:schema_mode = rfc2307
>>>     idmap config HPRS:range = ???-???
>> OK, lets see if I can explain this:
>>
>> 'idmap *' is where all the AD well-known SIDs are mapped (see
>> https://support.microsoft.com/en-us/kb/243330), these are pretty much
>> the same as Unix system users & groups
>>
>> 'idmap config HPRS' is where your users & groups are mapped, how they
>> are mapped is up to the sysadmin i.e. you.
>> You can use winbind with either the 'ad' or 'rid' backend, or you can
>> use sssd or nlscd.
>>
>> The problem comes from using the 'rid' backend is that you will
>> definitely get different numbers on a member server (or client,
>> workstation, call it what you will) to the DC, now this shouldn't really
>> be a problem if you only use the Samba DC for authentication.
>>
>> Now we come to the numbers used on the DC, for some reason, the Samba
>> devs decided to use numbers starting at 3000000, but then decided to
>> give 'Domain Users' the number 100 (this is Unix users group gid), this
>> was in my opinion a *bad* idea. I now hear you asking why? Well the two
>> ranges ('idmap config *' & 'idmap config HPRS') have to be separate
>> ranges that do not overlap, but there is also another range that doesn't
>> appear in smb.conf, this is the local users & groups that start at 0 and
>> your idmap ranges must not overlap this range as well and how do you do
>> this when 'Domain Users' has the gid of 100????
>> The scheme I use is simple, everything below 2000 is a local user,
>> 2000-9999 is for the well-known SIDs and 10000 up is for AD users &
>> groups. Depending on which Unix distro you use, system users & groups
>> will either end at 499 or 999, so at the the least, my scheme gives the
>> possibility of a 1000 local users and as you actually don't need *any*
>> local users, should be sufficient. There are also only approx 100
>> well-known SIDs, so the next range is more than sufficient and as for
>> the last range, if you run out, you just raised the last number.
>>
>> It is no use giving every user a unique uidNumber, unless you also give
>> 'Domain Users' a gidNumber, winbind will not work until you do. Also
>> what ever numbers you use, they must all be inside whatever range you
>> set in 'idmap config HPRS', anything outside the range is ignored i.e.
>> if the range is 10000-99999 and a user has the uidNumber of 1000 it will
>> be ignored as an AD user, but here is the one that gets most people, if
>> you give 'Domain Users' the gidNumber of 100 (as on the DC), it will be
>> ignored and if 'Domain Users' is ignored, all other users and groups
>> will be ignored!
>>
>> All of the above only has reference to a 'member server', idmap works
>> differently on an AD DC (i.e. as I said, Domain Users gets set to 100
>> even though it probably shouldn't)
>>
>> HTH
>>
>> Rowland
>>
>>>     winbind nss info = rfc2307
>>>     winbind trusted domains only = no
>>>     winbind use default domain = yes
>>>     winbind enum users  = yes
>>>     winbind enum groups = yes
>>>     winbind refresh tickets = Yes
>>>
>>> [demoshare]
>>>     path = /srv/samba/test
>>>     read only = no
>>>
>>>
>>> Thanks, --Mark
>>>
>>> -----Original Message-----
>>>> From: Andrew Bartlett <abartlet at samba.org>
>>>> To: Mark Foley <mfoley at ohprs.org>, samba at lists.samba.org
>>>> Date: Sat, 10 Oct 2015 16:07:22 +1300
>>>> Subject: Re: [Samba] Samba AD PDC , LDAP and Single-Sign-On
>>>>
>>>> On Fri, 2015-10-09 at 21:08 -0400, Mark Foley wrote:
>>>>> Thanks again for your quick reply ...
>>>>> Frankly, even after reading the
>>>>> https://www.samba.org/samba/docs/man/manpages/idmap_ad.8.html wiki, I
>>>>> don't
>>>>> really get the differentiation between 'idmap config *' and 'idmap
>>>>> config DOMAIN'
>>>>>
>>>>> Do I have to have something similar on the AD/DC? Right now, there
>>>>> are no idmap
>>>>> statements in that smb.conf.
>>>>>
>>>>> Thanks for your time (and patience), --Mark
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>