[Samba] RFC2307 on AD DC
Rowland Penny
rpenny at samba.org
Wed Aug 8 14:15:38 UTC 2018
On Wed, 8 Aug 2018 10:18:51 -0300
Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org> wrote:
> Hi all,
>
> I am deploying a new AD DC for our network using Ubuntu 18.04 and
> BIND_DLZ. Al lis fine but the RFC2307 attributes on DC. What's the
> recommended/correct way to use RFC2307 attributes on DC? At the wiki
> (1) it says:
>
> > For example, setting up an ID mapping back end, such
> > as|ad|(RFC2307) or|rid|, in the|smb.conf|file is not supported an
> > can cause the|samba|service to fail
> Indeed, I have set a smb.conf with idmap settings below and it stops
> working after some time, with user/password errors:
>
> [global]
> dns forwarder = 192.168.0.254
> netbios name = ARAUCARIA
> realm = AD.A1.IND.BR
> server role = active directory domain controller
> workgroup = A1
> server services = -dns
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> idmap config * : backend = tdb
> idmap config * : range = 500-599
>
> idmap config A1 :backend = ad
> idmap config A1 :schema_mode = rfc2307
> idmap config A1 :range = 601-65300
> idmap config A1 :unix_nss_info = yes
> idmap config A1 :unix_primary_group = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad.a1.ind.br/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> I dont want to set a winbind template, I do have rfc2307 information
> for our users and would like to use them on DC but could not get it
> working, can someone point me to the right direction? Is winbind the
> way to go, or should I look to SSSD or LikeWise?
>
> (1)
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>
> Thanks and best regards.
>
>
You really didn't understand the wiki, did you ;-)
OK, lets see if I can explain it better:
On a DC, by default idmap mapping is done in idmap.ldb and this uses
'xidNumber' attributes, which start at '3000000'
The 'ad' winbind backend uses rfc2307 attributes and is only usable on
Unix domain members.
The 'rid' winbind backend calculates the user or group ID from the AD
objects RID and again is only usable on a Unix domain member
The only way to have the same ID number everywhere is to use the 'ad'
backend, but there is a gotcha, on a DC only the uidNumber & gidNumber
attributes from AD are used, you have to set the user shell & home
directory with 'template' lines in smb.conf
All of this is part of the reason why Samba doesn't recommend using a
DC as a fileserver.
Lets now look at what I would remove from your smb.conf:
dns forwarder = 192.168.0.254
# remove this because you are using bind9 and that is where the
forwarder should be set
winbind use default domain = yes
# doesn't work on a DC
winbind enum users = yes
winbind enum groups = yes
# just slows things down and isn't needed.
idmap config * : backend = tdb
idmap config * : range = 500-599
idmap config A1 :backend = ad
idmap config A1 :schema_mode = rfc2307
idmap config A1 :range = 601-65300
idmap config A1 :unix_nss_info = yes
idmap config A1 :unix_primary_group = yes
# On top of not working on a DC, you have chosen stupid ranges.
You will also need to add this line (which would have been added if you
provisioned with '--use-rfc2307':
idmap_ldb:use rfc2307 = yes
What users and groups have you given uidNumber & gidNumber attributes
to ?
Also did you use the ranges you set in the DC smb.conf ?
Did you follow the Samba wiki or some other howto ?
Rowland
More information about the samba
mailing list