[Samba] Winbind issues with AD member file server

[Rowland penny]

On 10/07/2019 18:22, Eric Shell via samba wrote:
>> Can you kerberise NFS ?
>>
> Kerberizing NFS is something we've wanted to do for a while as a way out of
> our low ID issue but wasn't ever implemented.  We may be forced to do it
> now.
>
This is something that is done quite regularly, if you are interested, I 
am sure that instructions can be provided ;-)
>>> We have an existing Samba 4.8.3 server that is configured to use the ldap
>>> backend and does not run winbind, which gives us the desired behavior.  I
>>> was hoping to replace that server because it has its own issues, but with
>>> the ad backend since the ldap one is no longer recommended.  gssproxy's
It is not so much that they are no longer recommended, it is the problem 
that Microsoft keeps breaking them and one of these days, they may break 
them for ever.
>> man
>>> page indicates that it cannot be configured to mount otherwise.  Am I out
>>> of luck with winbind?
>> So, it isn't an AD domain member, if it was, you would have to run winbind.
>>
> No, the old server isn't a member.  It only uses AD for authentication.
> Please see the bottom of this message for that server's smb.conf file.
> It's a real Frankenstein's monster which began as a Samba 3 configuration
> and has been touched by many hands since then, but it more or less does its
> job.  Maybe I should focus on recreating this configuration instead of
> using the ad backend, despite the ldap one being deprecated?
>
>
>> I think I have asked this twice already, but you never know, third time
>> lucky ;-)
>>
>> What do you use the openldap server for ?
>>
> I'm sorry, I thought I had answered this.  It is used to provide
> authentication and user information services to various Unix systems and
> web services.  It's still in place largely due to legacy reasons.

Are any of them still running and need the server ?

Could you just turn it off ?

>
>
>> Could you use an AD DC instead ?
>>
> Similar to Kerberizing NFS, this was also a plan that was backburnered for
> a long while.
I would seriously think about this.
>
> --
>
> [global]
>   workgroup = BSOE
>   server string = SAMBA-01
>   netbios name = SAMBA-01
>   realm = ad.soe.ucsc.edu
>   security = ads
>   winbind nss info = template
>   logging = syslog at 2
>   log level = 2
>   browseable = yes
>   read only = no
>   local master = no
>   load printers = no
>   preserve case = yes
>   case sensitive = yes
>   wins support = no
>   passdb backend = tdbsam
>   printing = bsd
>   printcap name = /dev/null
>   disable spoolss = yes
>   client ldap sasl wrapping = sign
>   short preserve case = yes
>   nt acl support = no
>   wide links = no
>   unix extensions = no
>   strict locking = yes
>   kernel change notify = no
>   idmap config * : backend = ldap
>   idmap config * : range = 100-999999999
>   idmap config * : ldap_url = ldaps://ldap-01.soe.ucsc.edu/
>   idmap config * : ldap_base_dn = dc=soe,dc=ucsc,dc=edu

There was a case similar to yours very, very, recently and the OP in 
that case fixed their problems by using the idmap_script winbind backend 
(you are supposed to run winbind if using 'security = ads' with Samba >= 
4.8.0)

Authentication will be done by winbind from the AD DC and the users info 
was pulled from ldap by the script (you will have to provide your own 
script) run by idmap_script (see idmap_script for more info)

Of course, if all the ldap server is being used for is to hold the users 
rfc2307 attributes (uidNumber, etc), then you could use AD instead, all 
the rfc2307 attributes are standard in the AD schema.

Rowland