[Samba] Joining Linux Domain Member to Windows AD/DC

Mark Foley mfoley at novatec-inc.com
Sun Jul 23 16:53:31 UTC 2023 

On Sat, 22 Jul 2023 20:58:01 Rowland Penny via samba <samba at lists.samba.org> wrote:

> On 22/07/2023 18:52, Mark Foley via samba wrote:
> > I am installing a new Linux Domain Member on a Active Directory domain that is
> > otherwise 100% Windows, including a Windows AD/DC.  Previously, I've added a
> > Linux domain member to a domain with a Samba AD/DC and I had all the needful
> > information available.
>
> It doesn't matter what the DC's are, Windows or Samba, the setup is the 
> same.
>
> > I'm using the wiki https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Introduction
> > for reference.
> > 
> > In this case, what idmap backend should I use? ad, rid, autorid?
>
> Which idmap backend you use is entirely up to you, they all have their 
> places:
>
> If you use the 'ad' idmap backend you will need to have (or add) 
> uidNumber and gidNumber attributes in AD.

I am not the admin for the Windows AD/DC, so I don't know which [uid|gid]Numbers
are set in the AD.  The actual admin is sort of a paint-by-numbers guy and I'm
doubtful he knows anything about uid/gid, but I can ask. 

> If you use the 'rid' idmap backend then the Unix ID's are calculated 
> from the AD objects RID. You will have to add a set of 'idmap config 
> lines' for every DOMAIN

I'm not seeing the actual difference between 'ad' and 'rid' based on this
comment. the 'ad' backend in my example also has a set of 'idmap config lines'.
How would rid differ?

The wiki on 'rid' says, 

  "ID mapping back ends are not supported in the smb.conf file on a Samba Active
  Directory (AD) domain controller (DC).  Do not add any idmap config lines to a
  Samba Active Directory (AD) domain controller (DC) smb.conf"

This isn't an AD/DC, but does this apply to the domain member as well? If I use
this backend does that mean I don't need to specify gid/uid ranges in the
smb.conf. The wiki further says:

  o All domain user accounts and groups are automatically available on the domain member.

  o No attributes need to be set for domain users and groups.

  o If you use the the same basic smb.conf file on all Samba domain members, then
    user and group IDs will always be the same.

Maybe I don't need to worry about ranges?

> The 'autorid' idmap backend works in a similar way to the 'rid' idmap 
> backend, but is meant for multiple domains and you will only require one 
> set of 'idmap config' lines.

Only one domain in this setup.

> > My domain member on my existing Samba domain has smb.conf settings:
> > 
> > idmap config *:backend = tdb
> > idmap config *:range = 2000-9999
> > idmap config HPRS:backend = ad
> > idmap config HPRS:schema_mode = rfc2307
> > idmap config HPRS:range = 10000-10099
>
> That setup will require that your users have uidNumber attributes and 
> your groups will have gidNumber attributes in AD, All of these 
> attributes will have to contain numbers inside the 10000-10099 range 
> (which to be honest is a bit small and only allows for 99 users).

This example was taken from an actual system with no possibility of ever having
99 users. 

Is there a way for me to determine the uid/gid range configured in this system?
'getent passwd username' returns nothing (although 'getent hosts members' does).
wbinfo gives:

# wbinfo -u 
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users

So that needs winbindd to be running running, but I'm not at that step in the
instructions.

> > winbind enum groups = Yes
> > winbind enum users = Yes
>
> If you only have 99 users, then the 'winbind enum' lines should be okay, 
> but they are not required and on larger domains, they will slow things down.

Noted. I can get rid of that if it's not useful. BTW this target system has less
that a dozen users.

> > winbind nss info = rfc2307
>
> If you use the 'ad' idmap backend, then 'winbind nss info' is now part 
> of the 'idmap config' lines and isn't used with any other idmap backend

So, get rid of that in any case.

> > winbind offline logon = Yes
> > winbind refresh tickets = Yes
> > winbind use default domain = Yes
>
> 'winbind use default domain' cannot be used with the 'autorid' idmap 
> backend.

It doesn't look like 'autorid' will be the winner on backend, so I'll likely
retain these lines, right?

> > These settings were monkey-typed from a smb.conf example by kjhambrick, many,
> > many moons ago.  I really don't know why I have two backends specific (tdb and
> > ad) or why there are two different ranges (2000-9999 and 10000-10099 - although
> > I see the wiki also has a range for * and for domain).  Do I need all these in
> > the Windows AD config?
> > 
> > I don't see backend tdb listed in the wiki. Is that obsolete? It does list other
> > backends: ldap and nss.
>
> The 'tdb' idmap backend is an allocating backend and is only used for 
> the default '*' domain (unless you use the 'autorid' idmap backend, when 
> it isn't required at all). The default domain is meant for the Well 
> Known SIDs and anything outside the DOMAIN.

So, keep that, right?

> > How would I find the range on this domain?
>
> You don't, you choose and set it :-)
>
> Anything you don't understand, please ask.
>
> Rowland

Yeah, related to the last question on how to "find the range on this domain." I
can't just make something up, can I? I need to know how the actual domain admin
set up the range. If there's no way to query this then I supposed I have to ask
him, which might be a problem.

Can I just make something up and successfully join the domain, then do 'getent
passwd' to see what my known gid/uid is? I could try the default ranges, for
example my new smb.conf might look like:

idmap config *:backend = tdb
idmap config *:range = 10000000-299999999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-20000

winbind enum groups = Yes
winbind enum users = Yes
# winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes

-----OR------

# idmap config *:backend = tdb (do I need these?) rid wiki: "... this back end cannot be set as idmap config * default ID mapping back end."
# idmap config *:range = 10000000-299999999

# rid wiki: "You must add idmap config lines for all trusted domains."
# would that be the following two lines?
idmap config HPRS:backend = rid
idmap config HPRS:schema_mode = rfc2307

# idmap config HPRS:range = 10000-20000

# probably get rid of these?
# winbind enum groups = Yes
# winbind enum users = Yes

winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes

Am I close on the 'ad' or 'rid' examples? Am I assuming correctly that ranges
aren't needed for 'rid'?

Thanks --Mark

More information about the samba mailing list