[Samba] RFC2307 on AD DC

Marcio Vogel Merlone dos Santos marcio.merlone at a1.ind.br
Wed Aug 8 18:38:47 UTC 2018 

Em 08/08/2018 11:15, Rowland Penny via samba escreveu:
> On Wed, 8 Aug 2018 10:18:51 -0300
> Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org> wrote:
>
>> I am deploying a new AD DC for our network using Ubuntu 18.04 and
>> BIND_DLZ. Al lis fine but the RFC2307 attributes on DC. What's the
>> recommended/correct way to use RFC2307 attributes on DC? At the wiki
>> (1) it says:
>>
>>> For example, setting up an ID mapping back end, such
>>> as|ad|(RFC2307) or|rid|, in the|smb.conf|file is not supported an
>>> can cause the|samba|service to fail
>> Indeed, I have set a smb.conf with idmap settings below and it stops
>> working after some time, with user/password errors:
>>
>> [global]
>>       dns forwarder = 192.168.0.254
>>       netbios name = ARAUCARIA
>>       realm = AD.A1.IND.BR
>>       server role = active directory domain controller
>>       workgroup = A1
>>       server services = -dns
>>
>>       log file = /var/log/samba/%m.log
>>       log level = 1
>>
>>       winbind use default domain = yes
>>       winbind enum users  = yes
>>       winbind enum groups = yes
>>
>>       idmap config * : backend = tdb
>>       idmap config * : range = 500-599
>>
>>       idmap config A1 :backend = ad
>>       idmap config A1 :schema_mode = rfc2307
>>       idmap config A1 :range = 601-65300
>>       idmap config A1 :unix_nss_info = yes
>>       idmap config A1 :unix_primary_group = yes
>>
>> [netlogon]
>>       path = /var/lib/samba/sysvol/ad.a1.ind.br/scripts
>>       read only = No
>>
>> [sysvol]
>>       path = /var/lib/samba/sysvol
>>       read only = No
>>
>> I dont want to set a winbind template, I do have rfc2307 information
>> for our users and would like to use them on DC but could not get it
>> working, can someone point me to the right direction? Is winbind the
>> way to go, or should I look to SSSD or LikeWise?
>>
>> (1)
>> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>>
>> Thanks and best regards.
>>
>>
> You really didn't understand the wiki, did you ;-)
I guess I did, sort of, but I like to test and push limits. I had to see 
for myself what happens.

> OK, lets see if I can explain it better:
> On a DC, by default idmap mapping is done in idmap.ldb and this uses
> 'xidNumber' attributes, which start at '3000000'
I dont like defaults and templates. But who cares?

> The 'ad' winbind backend uses rfc2307 attributes and is only usable on
> Unix domain members.
>
> The 'rid' winbind backend calculates the user or group ID from the AD
> objects RID and again is only usable on a Unix domain member
>
> The only way to have the same ID number everywhere is to use the 'ad'
> backend, but there is a gotcha, on a DC only the uidNumber & gidNumber
> attributes from AD are used, you have to set the user shell & home
> directory with 'template' lines in smb.conf
That's the point. Is there any way to get [gu]idNumber, homeDir and 
shell from AD on the DC? This is probably a silly requirement for my 
setup, but I'd like to use my AD user also to SSH on the server - among 
many other systems.

> All of this is part of the reason why Samba doesn't recommend using a
> DC as a fileserver.
>
> Lets now look at what I would remove from your smb.conf:
>
>       dns forwarder = 192.168.0.254
>       # remove this because you are using bind9 and that is where the
>         forwarder should be set
samba-tool did it, thanks for the info.

>       winbind use default domain = yes
>       # doesn't work on a DC
>   
>       winbind enum users  = yes
>       winbind enum groups = yes
>       # just slows things down and isn't needed.
>
>       idmap config * : backend = tdb
>       idmap config * : range = 500-599
>       idmap config A1 :backend = ad
>       idmap config A1 :schema_mode = rfc2307
>       idmap config A1 :range = 601-65300
>       idmap config A1 :unix_nss_info = yes
>       idmap config A1 :unix_primary_group = yes
>       # On top of not working on a DC, you have chosen stupid ranges.
Thanks for the compliment ;)
But why you say they are stupid? Consider there will be no trusted 
domain nor any other domain at all on the network, and plan is to import 
users with existing xidNumber from an old existing working LDAP domain - 
but no domain migration, will take opportunity to fix domain name, sid, 
etc. and make things right this time.

> You will also need to add this line (which would have been added if you
> provisioned with '--use-rfc2307':
>
>       idmap_ldb:use rfc2307  = yes
Since I cant use *all* rfc2307 info from AD, I see no point for that 
anymore.

> What users and groups have you given uidNumber & gidNumber attributes
> to ? Also did you use the ranges you set in the DC smb.conf ?
For now just a couple of test users, within those ranges.

> Did you follow the Samba wiki or some other howto ?
Official samba wiki.

Today I have an OpenLDAP server read not just by samba, but by all my 
services (smtp, imap, proxy, php apps, etc) and my goal was to keep a 
central user database for all environments as it is today. If that is 
possible for everything *except* for one system (THE DC), I think I'll 
have to change my goal.

Thanks, best regards.


-- 
*Marcio Merlone*

More information about the samba mailing list