[Samba] Joining Linux Domain Member to Windows AD/DC

Rowland Penny rpenny at samba.org
Sun Jul 23 18:26:01 UTC 2023 


On 23/07/2023 17:53, Mark Foley via samba wrote:
> On Sat, 22 Jul 2023 20:58:01 Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
>> On 22/07/2023 18:52, Mark Foley via samba wrote:
>>> I am installing a new Linux Domain Member on a Active Directory domain that is
>>> otherwise 100% Windows, including a Windows AD/DC.  Previously, I've added a
>>> Linux domain member to a domain with a Samba AD/DC and I had all the needful
>>> information available.
>>
>> It doesn't matter what the DC's are, Windows or Samba, the setup is the
>> same.
>>
>>> I'm using the wiki https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Introduction
>>> for reference.
>>>
>>> In this case, what idmap backend should I use? ad, rid, autorid?
>>
>> Which idmap backend you use is entirely up to you, they all have their
>> places:
>>
>> If you use the 'ad' idmap backend you will need to have (or add)
>> uidNumber and gidNumber attributes in AD.
> 
> I am not the admin for the Windows AD/DC, so I don't know which [uid|gid]Numbers
> are set in the AD.  The actual admin is sort of a paint-by-numbers guy and I'm
> doubtful he knows anything about uid/gid, but I can ask.

I doubt if there are any uidNumber or gidNumber attributes in AD, they 
are not there by default.

> 
>> If you use the 'rid' idmap backend then the Unix ID's are calculated
>> from the AD objects RID. You will have to add a set of 'idmap config
>> lines' for every DOMAIN
> 
> I'm not seeing the actual difference between 'ad' and 'rid' based on this
> comment. the 'ad' backend in my example also has a set of 'idmap config lines'.
> How would rid differ?

The idmap config lines for the 'ad' and 'rid' idmap backends are 
similar, but different, try reading 'man idmap_ad' and 'man idmap_rid'

> 
> The wiki on 'rid' says,
> 
>    "ID mapping back ends are not supported in the smb.conf file on a Samba Active
>    Directory (AD) domain controller (DC).  Do not add any idmap config lines to a
>    Samba Active Directory (AD) domain controller (DC) smb.conf"
> 
> This isn't an AD/DC, but does this apply to the domain member as well? If I use
> this backend does that mean I don't need to specify gid/uid ranges in the
> smb.conf. 

A Samba AD DC uses a very different idmap backend than any other domain 
joined machine. If you set up a Unix domain member using Samba, you must 
add the 'idmap config' backend of your choice.

The wiki further says:
> 
>    o All domain user accounts and groups are automatically available on the domain member.
> 
>    o No attributes need to be set for domain users and groups.
> 
>    o If you use the the same basic smb.conf file on all Samba domain members, then
>      user and group IDs will always be the same.
> 
> Maybe I don't need to worry about ranges?

Sorry, but yes you do.

> 
>> The 'autorid' idmap backend works in a similar way to the 'rid' idmap
>> backend, but is meant for multiple domains and you will only require one
>> set of 'idmap config' lines.
> 
> Only one domain in this setup.
> 
>>> My domain member on my existing Samba domain has smb.conf settings:
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9999
>>> idmap config HPRS:backend = ad
>>> idmap config HPRS:schema_mode = rfc2307
>>> idmap config HPRS:range = 10000-10099
>>
>> That setup will require that your users have uidNumber attributes and
>> your groups will have gidNumber attributes in AD, All of these
>> attributes will have to contain numbers inside the 10000-10099 range
>> (which to be honest is a bit small and only allows for 99 users).
> 
> This example was taken from an actual system with no possibility of ever having
> 99 users.
> 
> Is there a way for me to determine the uid/gid range configured in this system?

The range is '10000-10099', that is what you set, but if there are no 
uidNumber or gidNumber attributes in AD, then getent will not show anything.

> 'getent passwd username' returns nothing (although 'getent hosts members' does).
> wbinfo gives:
> 
> # wbinfo -u
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> Error looking up domain users
> 
> So that needs winbindd to be running running, but I'm not at that step in the
> instructions.

You must be running winbind before wbinfo or getent will work.

> 
>>> winbind enum groups = Yes
>>> winbind enum users = Yes
>>
>> If you only have 99 users, then the 'winbind enum' lines should be okay,
>> but they are not required and on larger domains, they will slow things down.
> 
> Noted. I can get rid of that if it's not useful. BTW this target system has less
> that a dozen users.
> 
>>> winbind nss info = rfc2307
>>
>> If you use the 'ad' idmap backend, then 'winbind nss info' is now part
>> of the 'idmap config' lines and isn't used with any other idmap backend
> 
> So, get rid of that in any case.
> 
>>> winbind offline logon = Yes
>>> winbind refresh tickets = Yes
>>> winbind use default domain = Yes
>>
>> 'winbind use default domain' cannot be used with the 'autorid' idmap
>> backend.
> 
> It doesn't look like 'autorid' will be the winner on backend, so I'll likely
> retain these lines, right?

In that case, yes.

> 
>>> These settings were monkey-typed from a smb.conf example by kjhambrick, many,
>>> many moons ago.  I really don't know why I have two backends specific (tdb and
>>> ad) or why there are two different ranges (2000-9999 and 10000-10099 - although
>>> I see the wiki also has a range for * and for domain).  Do I need all these in
>>> the Windows AD config?
>>>
>>> I don't see backend tdb listed in the wiki. Is that obsolete? It does list other
>>> backends: ldap and nss.
>>
>> The 'tdb' idmap backend is an allocating backend and is only used for
>> the default '*' domain (unless you use the 'autorid' idmap backend, when
>> it isn't required at all). The default domain is meant for the Well
>> Known SIDs and anything outside the DOMAIN.
> 
> So, keep that, right?

Most definitely.

> 
>>> How would I find the range on this domain?
>>
>> You don't, you choose and set it :-)
>>
>> Anything you don't understand, please ask.
>>
>> Rowland
> 
> Yeah, related to the last question on how to "find the range on this domain." I
> can't just make something up, can I?

Yes, you can use whatever range you like, but I suggest you read this 
wiki page first:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

> I need to know how the actual domain admin
> set up the range. If there's no way to query this then I supposed I have to ask
> him, which might be a problem.

A typical Windows sysadmin will not have added any uidNumber or 
gidNumber attributes to AD, they are of no value to Windows machines, 
they use the SID, so I would be prepared to use the 'rid' idmap backend 
if I was you.

> 
> Can I just make something up and successfully join the domain, then do 'getent
> passwd' to see what my known gid/uid is?

You would get back whatever range you set in your smb.conf, however, if 
you use the 'ad' idmap backend and there are no uidNumber & gidNumber 
attributes in AD, you will get nothing back.

< I could try the default ranges, for
> example my new smb.conf might look like:

There are no real default ranges.

> 
> idmap config *:backend = tdb
> idmap config *:range = 10000000-299999999
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = 10000-20000

There is no point in putting the default range above the DOMAIN range, 
in fact if the DOMAIN grows large enough (as a user found recently), it 
can stop the domain growing.

> 
> winbind enum groups = Yes
> winbind enum users = Yes
> # winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> 
> -----OR------
> 
> # idmap config *:backend = tdb (do I need these?) rid wiki: "... this back end cannot be set as idmap config * default ID mapping back end."
> # idmap config *:range = 10000000-299999999
> 
> # rid wiki: "You must add idmap config lines for all trusted domains."
> # would that be the following two lines?
> idmap config HPRS:backend = rid
> idmap config HPRS:schema_mode = rfc2307
> 
> # idmap config HPRS:range = 10000-20000

As I said earlier, please read 'man idmap_rid'
> 
> # probably get rid of these?
> # winbind enum groups = Yes
> # winbind enum users = Yes

I would, they should only really be used for testing puurposes.

> 
> winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> 
> Am I close on the 'ad' or 'rid' examples?

Fairly.

< Am I assuming correctly that ranges
> aren't needed for 'rid'?

Sorry, but no, whatever idmap backend you use, it requires a DOMAIN range.

Rowland

More information about the samba mailing list