[Samba] Joining Linux Domain Member to Windows AD/DC
Rowland Penny
rpenny at samba.org
Sun Jul 23 18:26:01 UTC 2023
On 23/07/2023 17:53, Mark Foley via samba wrote:
> On Sat, 22 Jul 2023 20:58:01 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
>> On 22/07/2023 18:52, Mark Foley via samba wrote:
>>> I am installing a new Linux Domain Member on a Active Directory domain that is
>>> otherwise 100% Windows, including a Windows AD/DC. Previously, I've added a
>>> Linux domain member to a domain with a Samba AD/DC and I had all the needful
>>> information available.
>>
>> It doesn't matter what the DC's are, Windows or Samba, the setup is the
>> same.
>>
>>> I'm using the wiki https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Introduction
>>> for reference.
>>>
>>> In this case, what idmap backend should I use? ad, rid, autorid?
>>
>> Which idmap backend you use is entirely up to you, they all have their
>> places:
>>
>> If you use the 'ad' idmap backend you will need to have (or add)
>> uidNumber and gidNumber attributes in AD.
>
> I am not the admin for the Windows AD/DC, so I don't know which [uid|gid]Numbers
> are set in the AD. The actual admin is sort of a paint-by-numbers guy and I'm
> doubtful he knows anything about uid/gid, but I can ask.
I doubt if there are any uidNumber or gidNumber attributes in AD, they
are not there by default.
>
>> If you use the 'rid' idmap backend then the Unix ID's are calculated
>> from the AD objects RID. You will have to add a set of 'idmap config
>> lines' for every DOMAIN
>
> I'm not seeing the actual difference between 'ad' and 'rid' based on this
> comment. the 'ad' backend in my example also has a set of 'idmap config lines'.
> How would rid differ?
The idmap config lines for the 'ad' and 'rid' idmap backends are
similar, but different, try reading 'man idmap_ad' and 'man idmap_rid'
>
> The wiki on 'rid' says,
>
> "ID mapping back ends are not supported in the smb.conf file on a Samba Active
> Directory (AD) domain controller (DC). Do not add any idmap config lines to a
> Samba Active Directory (AD) domain controller (DC) smb.conf"
>
> This isn't an AD/DC, but does this apply to the domain member as well? If I use
> this backend does that mean I don't need to specify gid/uid ranges in the
> smb.conf.
A Samba AD DC uses a very different idmap backend than any other domain
joined machine. If you set up a Unix domain member using Samba, you must
add the 'idmap config' backend of your choice.
The wiki further says:
>
> o All domain user accounts and groups are automatically available on the domain member.
>
> o No attributes need to be set for domain users and groups.
>
> o If you use the the same basic smb.conf file on all Samba domain members, then
> user and group IDs will always be the same.
>
> Maybe I don't need to worry about ranges?
Sorry, but yes you do.
>
>> The 'autorid' idmap backend works in a similar way to the 'rid' idmap
>> backend, but is meant for multiple domains and you will only require one
>> set of 'idmap config' lines.
>
> Only one domain in this setup.
>
>>> My domain member on my existing Samba domain has smb.conf settings:
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9999
>>> idmap config HPRS:backend = ad
>>> idmap config HPRS:schema_mode = rfc2307
>>> idmap config HPRS:range = 10000-10099
>>
>> That setup will require that your users have uidNumber attributes and
>> your groups will have gidNumber attributes in AD, All of these
>> attributes will have to contain numbers inside the 10000-10099 range
>> (which to be honest is a bit small and only allows for 99 users).
>
> This example was taken from an actual system with no possibility of ever having
> 99 users.
>
> Is there a way for me to determine the uid/gid range configured in this system?
The range is '10000-10099', that is what you set, but if there are no
uidNumber or gidNumber attributes in AD, then getent will not show anything.
> 'getent passwd username' returns nothing (although 'getent hosts members' does).
> wbinfo gives:
>
> # wbinfo -u
> could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> Error looking up domain users
>
> So that needs winbindd to be running running, but I'm not at that step in the
> instructions.
You must be running winbind before wbinfo or getent will work.
>
>>> winbind enum groups = Yes
>>> winbind enum users = Yes
>>
>> If you only have 99 users, then the 'winbind enum' lines should be okay,
>> but they are not required and on larger domains, they will slow things down.
>
> Noted. I can get rid of that if it's not useful. BTW this target system has less
> that a dozen users.
>
>>> winbind nss info = rfc2307
>>
>> If you use the 'ad' idmap backend, then 'winbind nss info' is now part
>> of the 'idmap config' lines and isn't used with any other idmap backend
>
> So, get rid of that in any case.
>
>>> winbind offline logon = Yes
>>> winbind refresh tickets = Yes
>>> winbind use default domain = Yes
>>
>> 'winbind use default domain' cannot be used with the 'autorid' idmap
>> backend.
>
> It doesn't look like 'autorid' will be the winner on backend, so I'll likely
> retain these lines, right?
In that case, yes.
>
>>> These settings were monkey-typed from a smb.conf example by kjhambrick, many,
>>> many moons ago. I really don't know why I have two backends specific (tdb and
>>> ad) or why there are two different ranges (2000-9999 and 10000-10099 - although
>>> I see the wiki also has a range for * and for domain). Do I need all these in
>>> the Windows AD config?
>>>
>>> I don't see backend tdb listed in the wiki. Is that obsolete? It does list other
>>> backends: ldap and nss.
>>
>> The 'tdb' idmap backend is an allocating backend and is only used for
>> the default '*' domain (unless you use the 'autorid' idmap backend, when
>> it isn't required at all). The default domain is meant for the Well
>> Known SIDs and anything outside the DOMAIN.
>
> So, keep that, right?
Most definitely.
>
>>> How would I find the range on this domain?
>>
>> You don't, you choose and set it :-)
>>
>> Anything you don't understand, please ask.
>>
>> Rowland
>
> Yeah, related to the last question on how to "find the range on this domain." I
> can't just make something up, can I?
Yes, you can use whatever range you like, but I suggest you read this
wiki page first:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> I need to know how the actual domain admin
> set up the range. If there's no way to query this then I supposed I have to ask
> him, which might be a problem.
A typical Windows sysadmin will not have added any uidNumber or
gidNumber attributes to AD, they are of no value to Windows machines,
they use the SID, so I would be prepared to use the 'rid' idmap backend
if I was you.
>
> Can I just make something up and successfully join the domain, then do 'getent
> passwd' to see what my known gid/uid is?
You would get back whatever range you set in your smb.conf, however, if
you use the 'ad' idmap backend and there are no uidNumber & gidNumber
attributes in AD, you will get nothing back.
< I could try the default ranges, for
> example my new smb.conf might look like:
There are no real default ranges.
>
> idmap config *:backend = tdb
> idmap config *:range = 10000000-299999999
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = 10000-20000
There is no point in putting the default range above the DOMAIN range,
in fact if the DOMAIN grows large enough (as a user found recently), it
can stop the domain growing.
>
> winbind enum groups = Yes
> winbind enum users = Yes
> # winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
>
> -----OR------
>
> # idmap config *:backend = tdb (do I need these?) rid wiki: "... this back end cannot be set as idmap config * default ID mapping back end."
> # idmap config *:range = 10000000-299999999
>
> # rid wiki: "You must add idmap config lines for all trusted domains."
> # would that be the following two lines?
> idmap config HPRS:backend = rid
> idmap config HPRS:schema_mode = rfc2307
>
> # idmap config HPRS:range = 10000-20000
As I said earlier, please read 'man idmap_rid'
>
> # probably get rid of these?
> # winbind enum groups = Yes
> # winbind enum users = Yes
I would, they should only really be used for testing puurposes.
>
> winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
>
> Am I close on the 'ad' or 'rid' examples?
Fairly.
< Am I assuming correctly that ranges
> aren't needed for 'rid'?
Sorry, but no, whatever idmap backend you use, it requires a DOMAIN range.
Rowland
More information about the samba
mailing list