[Samba] primary group for AD accounts

Rowland Penny rpenny at samba.org
Tue Jun 18 14:36:01 UTC 2024 

On Tue, 18 Jun 2024 15:25:03 +0200
PaLi via samba <samba at lists.samba.org> wrote:

> 
> on DC - dc31:
> -------------
> $ sudo samba-tool testparm
> 
> INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist-
> packages/samba/netcmd/testparm.py #96: Loaded smb config files from
> /etc/samba/smb.conf
> INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist-
> packages/samba/netcmd/testparm.py #97: Loaded services file OK.
> Press enter to see a dump of your service definitions
> 
> # Global parameters
> [global]
> 	bind interfaces only = Yes
> 	dns forwarder = 127.0.0.53

What is '127.0.0.53' ?
I would expect an external (external to office.company.com) dns server,
such as googles 8.8.8.8

> 	interfaces = lo enp1s0
> 	netbios name = DC31
> 	realm = OFFICE.COMPANY.COM
> 	server role = active directory domain controller
> 	template homedir = /home/%D/%U
> 	template shell = /bin/bash
> 	winbind enum groups = Yes
> 	winbind enum users = Yes

You should only have the 'winbind enum' lines for testing purposes,
they can slow things down in production.

> 	workgroup = OFFICE
> 	idmap_ldb:use rfc2307 = yes
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/office.company.com/scripts
> 	read only = No
> 
> [homes]
> 	comment = Home Directories
> 	inherit acls = Yes
> 	read only = No
> 	valid users = %S %D%w%S

This is a DC, you must set the permissions from Windows, therefor the
'inherit acls' and valid users' lines shouldn't be used.

> 
> 
> on DC - dc31:
> -------------
> $ sudo testparm -s

No, you should have used 'samba-tool testparm', I know it is a bit
confusing, but it is 'samba-tool testparm' on Samba AD DCs and 'testparm
-s' on everything else.

> 
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
> fallback)
> 
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> 
> # Global parameters
> [global]
> 	bind interfaces only = Yes
> 	dns forwarder = 127.0.0.53
> 	interfaces = lo enp1s0
> 	passdb backend = samba_dsdb
> 	realm = OFFICE.COMPANY.COM
> 	server role = active directory domain controller
> 	template shell = /bin/bash
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	workgroup = OFFICE
> 	rpc_server:tcpip = no
> 	rpc_daemon:spoolssd = embedded
> 	rpc_server:spoolss = embedded
> 	rpc_server:winreg = embedded
> 	rpc_server:ntsvcs = embedded
> 	rpc_server:eventlog = embedded
> 	rpc_server:srvsvc = embedded
> 	rpc_server:svcctl = embedded
> 	rpc_server:default = external
> 	winbindd:use external pipes = true
> 	idmap_ldb:use rfc2307 = yes
> 	idmap config * : backend = tdb
> 	map archive = No
> 	vfs objects = dfs_samba4 acl_xattr
> 
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/office.company.com/scripts
> 	read only = No
> 
> 
> [homes]
> 	comment = Home Directories
> 	inherit acls = Yes
> 	read only = No
> 	valid users = %S %D%w%S

Same comments as the other DC.

> 
> 
> on member - smbubu48:
> 
> ---------------------
> $ sudo samba-tool testparm
> 
> INFO 2024-06-12 17:11:33,740 pid:29617 /usr/lib/python3/dist-
> packages/samba/netcmd/testparm.py #96: Loaded smb config files from
> /etc/samba/smb.conf
> INFO 2024-06-12 17:11:33,741 pid:29617 /usr/lib/python3/dist-
> packages/samba/netcmd/testparm.py #97: Loaded services file OK.
> Press enter to see a dump of your service definitions
> 
> # Global parameters
> [global]
> 	log level = 0
> 	netbios name = SMBUBU48
> 	realm = OFFICE.COMPANY.COM
> 	security = DOMAIN

Sorry but that is wrong, it should be 'security = ADS'

> 	server role = member server
> 	template homedir = /home/%D/%U
> 	template shell = /bin/bash
> 	winbind enum groups = Yes
> 	winbind enum users = Yes

Same comment as the DCs

> 	winbind rpc only = Yes

I would remove the line above.

> 	winbind use default domain = Yes
> 	workgroup = OFFICE
> 	idmap config office : unix_primary_group = yes
> 	idmap config office : unix_nss_info = yes
> 	idmap config office : range = 1000-9999

The gidNumber you gave Domain Users (513) is outside the OFFICE range,
so all your users will probably be getting IDs in the 10000-19999 range.

> 	idmap config office : schema_mode = rfc2307
> 	idmap config office : backend = ad
> 	idmap config * : range = 10000-19999
> 	idmap config * : backend = tdb
> 	map acl inherit = Yes
> 	store dos attributes = Yes
> 	vfs objects = acl_xattr
> 
> [homes]
> 	comment = Home Directories
> 	inherit acls = Yes
> 	read only = No
> 	valid users = %S %D%w%S
> 
> 
> on member - smbubu48:
> ---------------------
> sudo testparm -s
> 
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
> fallback)
> 
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
> 	kdc enable fast = No
> 	realm = OFFICE.COMPANY.COM
> 	security = DOMAIN
> 	server role = member server
> 	template shell = /bin/bash
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind rpc only = Yes
> 	winbind use default domain = Yes
> 	workgroup = OFFICE
> 	idmap config office : unix_primary_group = yes
> 	idmap config office : unix_nss_info = yes
> 	idmap config office : range = 1000-9999
> 	idmap config office : schema_mode = rfc2307
> 	idmap config office : backend = ad
> 	idmap config * : range = 10000-19999
> 	idmap config * : backend = tdb
> 	map acl inherit = Yes
> 	vfs objects = acl_xattr
> 
> 
> [homes]
> 	comment = Home Directories
> 	inherit acls = Yes
> 	read only = No
> 	valid users = %S %D%w%S
> 

same comments as the other Unix domain member.

If you use the 'ad' idmap backend', then the uidNumber & gidNumber
attributes you add to AD will be used instead of the IDs allocated (on
a first come basis) in idmap.ldb. However, they may not be used
straight after you add them until you run 'net cache flush'.

Whatever Unix IDs you add to AD, the 'OFFICE' range in the Unix domain
members must reflect this, so as you appear to have given Domain Users
the gidNumber '513', the range line in your Unix domain members should
look something like this:

idmap config office : range = 500-9999

Which will mean that you cannot have any local Unix users except for
root, so what happens if something goes wrong with AD and you need to
login as a local Unix user ?

I think you need to read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Also has you do not seem to be using Unix home directories etc from AD,
you might want to consider using the 'rid' idmap backend, that way you
do not need to add anything extra to AD.

Rowland

More information about the samba mailing list