[Samba] Samba 4 + Squidguardian
L.P.H. van Belle
belle at bazuin.nl
Tue Oct 20 09:32:50 UTC 2015
> Well, I will give you this one, on DC you cannot, but on a domain member
> you can: winbind use default domain = yes
> However, it is not recommended to use the DC as a fileserver
Wbinfo -u returns only username on my DC's.
Just add this to the DC and it works fine, yes yes, its for a member server, but it works fine for me on my DC's also, and as result, getent, id, wbinfo
Do return on all my servers the same info.
I believe its safe to use it like this.
sidenote, IF you assign all users/groups UID/GID.
If not all assigned, the groups on DC give a 3xxxxxx GID or no users shown.
# Use home directory and shell information from AD
winbind nss info = rfc2307
winbind use default domain = yes
template shell = /bin/bash
template homedir = /home/users/%U
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> Verzonden: dinsdag 20 oktober 2015 11:10
> Aan: samba
> Onderwerp: Re: [Samba] Samba 4 + Squidguardian
>
> On 20/10/15 09:05, mathias dufresne wrote:
> >
> > 2015-10-19 18:08 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com
> > <mailto:rowlandpenny241155 at gmail.com>>:
> >
> > On 19/10/15 16:46, mathias dufresne wrote:
> >
> > AD from Samba or Microsoft is mainly a database for storing
> > users (and
> > associated stuffs). It comes also with stuffs (protocols) to
> > connect and
> > retrieve information.
> >
> > How the client uses these information is, as always, a choice
> > from that
> > specific client.
> >
> > Your AD client is your Squid/Squidguard(ian) server. Its job
> > as AD client
> > is to get some users information from AD to build system
> > users. I insist on
> > the fact system users are forged. Purely.
> >
> > What is responsible of that forging process? What you declared
> in
> > /etc/nsswitch.conf.
> > Generally it is winbind, sssd or nlscd.
> >
> > Each one of these tools comes with its own set of option,
> > tweak and
> > configuration files to define how to forge users from local
> > system point of
> > view.
> >
> > Each one except for Winbind which forge users as it decide to,
> > no matter
> > the desires of local system admin. At least this is how I
> > understood
> > winbind behaviour (which has no configuration file for what I
> > know).
> >
> >
> > Well, apart from idmap.ldb on a DC and the idmap_config lines in
> > smb.conf on a domain member, there are no configuration files. :-D
> >
> >
> > idmap.ldb -> TDB database version 6, little-endian hash size 10000 bytes
> > idmap_config lines in smb.conf -> how would you set them to configure
> > Winbind to not add domain to user?
>
> Well, I will give you this one, on DC you cannot, but on a domain member
> you can: winbind use default domain = yes
> However, it is not recommended to use the DC as a fileserver
>
> > To use gidNumber rather than 100 which seems to reflect
> > "primaryGroupID: 513",
>
> Give the users unique uidNumbers and Domain Users a gidNumber
>
> > to set up home directory to unixHomeDirectory or to homeDirectory
> > rather than /home/<short domain name>/ sAMAccountName?
>
> template homedir = /home/%U
>
> > Is it possible to use CN or userPrincipalName rather SAMAccountName
> > when building the system user?
>
> No, you have lost me again, what do you mean by 'building the system user'
>
> >
> > So it is not configurable.
>
> Yes it is, fully on a domain member, partially on a DC
>
> >
> >
> >
> > Perhaps you are using winbind, in that case winbind is
> > responsible to add
> > domain and backslashes when forging your users.
> >
> > I don't know at all nlscd but some are using it on that
> > mailing list. So I
> > expect it does its job too.
> >
> > I tried SSSD for the company I'm working these days and it
> > comes with lot
> > of configuration options. I expect it can force addition of AD
> > domain to
> > username but it is not the default behaviour.
> >
> > On some DC where it uses winbind to forge users:
> >
> >
> > No, sorry, I cannot understand what you mean by forge, in English
> > this word is used for creating your own banknotes or a thing used
> > by a blacksmith.
> >
> >
> > In fact a blacksmith forges items using blacksmith tools. He creates
> > these items. These items can be something else than his own tools. In
> > fact if a blacksmith was only able to craft its own tools and nothing
> > else for other peoples, this kind of job would have quickly
> disappeared...
>
> So what you meant was 'create a user', please don't try to get creative
> with the English language, just say what you mean.
> As for forge and a blacksmith, the word can mean the place a blacksmith
> works, the 'action' of the blacksmith doing something i.e. a blacksmith
> forges horseshoes (technical note: no, this actually done by a farrier)
> (further note: blacksmiths have virtually disappeared)
> Have we played enough with *my* language yet?
>
> >
> > Anyway you get the point, forging, crafting, building, assembling
> > elements to obtain something else, they are same concept.
>
> Same basic concept, but they all mean totally different things.
>
> >
> >
> >
> > If you add a Uidnumber to user a user in AD, then it should show
> > on a DC, even if you are not using winbind.
> >
> >
> > Here you should have meant "if you are using winbind" which is true
> > for UID and wrong for GID which is not reflecting gidNumber configured
> > into AD.
>
> Ah, that is because you think that giving a user a gidNumber, this
> becomes the users main GID, it doesn't. The users primary gid number is
> obtained from what is set in the aptly named 'PrimaryGidNumber'
> attribute, AD obtains this and then uses whatever gidNumber that groups
> object contains.
>
>
> Should I speak again about home dir ? Shell ? Gecos ? login attribute ?...
>
> No, because I have already dealt with that.
>
> >
> > SSSD grant sys admin possibility to chose all that, forging users as
> > sysadmin wants to (which is most generally what his bosses asked to
> > him). Winbind can't.
> > And here the question is "how can the user have username using
> > <username> syntax rather than <domainname>\<username>. Is it possible
> > to remove domain part from username when using winbind? With the
> > idmap_config lines perhaps ? :p
>
> Anything that sssd can do, winbind can do, but, as I have admitted, only
> fully on a domain member.
>
> >
> > And more: how system is configured to retrieve users from AD! AD seems
> > well configured: it works. The question is about how to obtain system
> > users according to what this user needs and not according to what
> > winbind thinks it is the right way.
>
> As I said, winbind will do what sssd does, in fact winbind is that good,
> the later versions of sssd implements a lot of the winbind code.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list