[Samba] Samba 4 + Squidguardian
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Oct 20 09:10:27 UTC 2015
On 20/10/15 09:05, mathias dufresne wrote:
>
> 2015-10-19 18:08 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>>:
>
> On 19/10/15 16:46, mathias dufresne wrote:
>
> AD from Samba or Microsoft is mainly a database for storing
> users (and
> associated stuffs). It comes also with stuffs (protocols) to
> connect and
> retrieve information.
>
> How the client uses these information is, as always, a choice
> from that
> specific client.
>
> Your AD client is your Squid/Squidguard(ian) server. Its job
> as AD client
> is to get some users information from AD to build system
> users. I insist on
> the fact system users are forged. Purely.
>
> What is responsible of that forging process? What you declared in
> /etc/nsswitch.conf.
> Generally it is winbind, sssd or nlscd.
>
> Each one of these tools comes with its own set of option,
> tweak and
> configuration files to define how to forge users from local
> system point of
> view.
>
> Each one except for Winbind which forge users as it decide to,
> no matter
> the desires of local system admin. At least this is how I
> understood
> winbind behaviour (which has no configuration file for what I
> know).
>
>
> Well, apart from idmap.ldb on a DC and the idmap_config lines in
> smb.conf on a domain member, there are no configuration files. :-D
>
>
> idmap.ldb -> TDB database version 6, little-endian hash size 10000 bytes
> idmap_config lines in smb.conf -> how would you set them to configure
> Winbind to not add domain to user?
Well, I will give you this one, on DC you cannot, but on a domain member
you can: winbind use default domain = yes
However, it is not recommended to use the DC as a fileserver
> To use gidNumber rather than 100 which seems to reflect
> "primaryGroupID: 513",
Give the users unique uidNumbers and Domain Users a gidNumber
> to set up home directory to unixHomeDirectory or to homeDirectory
> rather than /home/<short domain name>/ sAMAccountName?
template homedir = /home/%U
> Is it possible to use CN or userPrincipalName rather SAMAccountName
> when building the system user?
No, you have lost me again, what do you mean by 'building the system user'
>
> So it is not configurable.
Yes it is, fully on a domain member, partially on a DC
>
>
>
> Perhaps you are using winbind, in that case winbind is
> responsible to add
> domain and backslashes when forging your users.
>
> I don't know at all nlscd but some are using it on that
> mailing list. So I
> expect it does its job too.
>
> I tried SSSD for the company I'm working these days and it
> comes with lot
> of configuration options. I expect it can force addition of AD
> domain to
> username but it is not the default behaviour.
>
> On some DC where it uses winbind to forge users:
>
>
> No, sorry, I cannot understand what you mean by forge, in English
> this word is used for creating your own banknotes or a thing used
> by a blacksmith.
>
>
> In fact a blacksmith forges items using blacksmith tools. He creates
> these items. These items can be something else than his own tools. In
> fact if a blacksmith was only able to craft its own tools and nothing
> else for other peoples, this kind of job would have quickly disappeared...
So what you meant was 'create a user', please don't try to get creative
with the English language, just say what you mean.
As for forge and a blacksmith, the word can mean the place a blacksmith
works, the 'action' of the blacksmith doing something i.e. a blacksmith
forges horseshoes (technical note: no, this actually done by a farrier)
(further note: blacksmiths have virtually disappeared)
Have we played enough with *my* language yet?
>
> Anyway you get the point, forging, crafting, building, assembling
> elements to obtain something else, they are same concept.
Same basic concept, but they all mean totally different things.
>
>
>
> If you add a Uidnumber to user a user in AD, then it should show
> on a DC, even if you are not using winbind.
>
>
> Here you should have meant "if you are using winbind" which is true
> for UID and wrong for GID which is not reflecting gidNumber configured
> into AD.
Ah, that is because you think that giving a user a gidNumber, this
becomes the users main GID, it doesn't. The users primary gid number is
obtained from what is set in the aptly named 'PrimaryGidNumber'
attribute, AD obtains this and then uses whatever gidNumber that groups
object contains.
Should I speak again about home dir ? Shell ? Gecos ? login attribute ?...
No, because I have already dealt with that.
>
> SSSD grant sys admin possibility to chose all that, forging users as
> sysadmin wants to (which is most generally what his bosses asked to
> him). Winbind can't.
> And here the question is "how can the user have username using
> <username> syntax rather than <domainname>\<username>. Is it possible
> to remove domain part from username when using winbind? With the
> idmap_config lines perhaps ? :p
Anything that sssd can do, winbind can do, but, as I have admitted, only
fully on a domain member.
>
> And more: how system is configured to retrieve users from AD! AD seems
> well configured: it works. The question is about how to obtain system
> users according to what this user needs and not according to what
> winbind thinks it is the right way.
As I said, winbind will do what sssd does, in fact winbind is that good,
the later versions of sssd implements a lot of the winbind code.
Rowland
More information about the samba
mailing list