[Samba] primary group for AD accounts

pavel.lisy at gmail.com pavel.lisy at gmail.com
Wed Jun 19 18:19:19 UTC 2024 

On Tue, 2024-06-18 at 15:36 +0100, Rowland Penny via samba wrote:
> On Tue, 18 Jun 2024 15:25:03 +0200
> PaLi via samba <samba at lists.samba.org> wrote:
> 
> > 
> > on DC - dc31:
> > -------------
> > $ sudo samba-tool testparm
> > 
> > INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist-
> > packages/samba/netcmd/testparm.py #96: Loaded smb config files from
> > /etc/samba/smb.conf
> > INFO 2024-06-18 13:09:06,760 pid:31797 /usr/lib/python3/dist-
> > packages/samba/netcmd/testparm.py #97: Loaded services file OK.
> > Press enter to see a dump of your service definitions
> > 
> > # Global parameters
> > [global]
> > 	bind interfaces only = Yes
> > 	dns forwarder = 127.0.0.53
> 
> What is '127.0.0.53' ?
this was created by samba-tool during provisioning, so I left it
unchanged

samba-tool domain provision \
  --realm={{sambadomain_realm}} \
  --domain={{sambadomain_smbdomain}} \
  --site={{sambadomain_officesite}} \
  --server-role=dc \
  --dns-backend=${DNS_BACKEND} \
  --use-rfc2307 \
  --option="interfaces=lo {{ansible_default_ipv4.interface}}" \
  --option="bind interfaces only=yes" \
  --adminpass='{{samba_administrator_pwd}}'


I suppose it is because of systemd-resolved is configured on this DC.


> I would expect an external (external to office.company.com) dns
> server,
> such as googles 8.8.8.8
> 
> > 	interfaces = lo enp1s0
> > 	netbios name = DC31
> > 	realm = OFFICE.COMPANY.COM
> > 	server role = active directory domain controller
> > 	template homedir = /home/%D/%U
> > 	template shell = /bin/bash
> > 	winbind enum groups = Yes
> > 	winbind enum users = Yes
> 
> You should only have the 'winbind enum' lines for testing purposes,
> they can slow things down in production.

OK I understand


> 
> > 	workgroup = OFFICE
> > 	idmap_ldb:use rfc2307 = yes
> > 
> > [sysvol]
> > 	path = /var/lib/samba/sysvol
> > 	read only = No
> > 
> > [netlogon]
> > 	path = /var/lib/samba/sysvol/office.company.com/scripts
> > 	read only = No
> > 
> > [homes]
> > 	comment = Home Directories
> > 	inherit acls = Yes
> > 	read only = No
> > 	valid users = %S %D%w%S
> 
> This is a DC, you must set the permissions from Windows, therefor the
> 'inherit acls' and valid users' lines shouldn't be used.
> > 
OK


> > 
> > on DC - dc31:
> > -------------
> > $ sudo testparm -s
> 
> No, you should have used 'samba-tool testparm', I know it is a bit
> confusing, but it is 'samba-tool testparm' on Samba AD DCs and
> 'testparm
> -s' on everything else.
> 
> > 
> > Load smb config files from /etc/samba/smb.conf
> > Loaded services file OK.
> > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
> > fallback)
> > 
> > Server role: ROLE_ACTIVE_DIRECTORY_DC
> > 
> > # Global parameters
> > [global]
> > 	bind interfaces only = Yes
> > 	dns forwarder = 127.0.0.53
> > 	interfaces = lo enp1s0
> > 	passdb backend = samba_dsdb
> > 	realm = OFFICE.COMPANY.COM
> > 	server role = active directory domain controller
> > 	template shell = /bin/bash
> > 	winbind enum groups = Yes
> > 	winbind enum users = Yes
> > 	workgroup = OFFICE
> > 	rpc_server:tcpip = no
> > 	rpc_daemon:spoolssd = embedded
> > 	rpc_server:spoolss = embedded
> > 	rpc_server:winreg = embedded
> > 	rpc_server:ntsvcs = embedded
> > 	rpc_server:eventlog = embedded
> > 	rpc_server:srvsvc = embedded
> > 	rpc_server:svcctl = embedded
> > 	rpc_server:default = external
> > 	winbindd:use external pipes = true
> > 	idmap_ldb:use rfc2307 = yes
> > 	idmap config * : backend = tdb
> > 	map archive = No
> > 	vfs objects = dfs_samba4 acl_xattr
> > 
> > 
> > [sysvol]
> > 	path = /var/lib/samba/sysvol
> > 	read only = No
> > 
> > 
> > [netlogon]
> > 	path = /var/lib/samba/sysvol/office.company.com/scripts
> > 	read only = No
> > 
> > 
> > [homes]
> > 	comment = Home Directories
> > 	inherit acls = Yes
> > 	read only = No
> > 	valid users = %S %D%w%S
> 
> Same comments as the other DC.
> 
> > 
> > 
> > on member - smbubu48:
> > 
> > ---------------------
> > $ sudo samba-tool testparm
> > 
> > INFO 2024-06-12 17:11:33,740 pid:29617 /usr/lib/python3/dist-
> > packages/samba/netcmd/testparm.py #96: Loaded smb config files from
> > /etc/samba/smb.conf
> > INFO 2024-06-12 17:11:33,741 pid:29617 /usr/lib/python3/dist-
> > packages/samba/netcmd/testparm.py #97: Loaded services file OK.
> > Press enter to see a dump of your service definitions
> > 
> > # Global parameters
> > [global]
> > 	log level = 0
> > 	netbios name = SMBUBU48
> > 	realm = OFFICE.COMPANY.COM
> > 	security = DOMAIN
> 
> Sorry but that is wrong, it should be 'security = ADS'
> 
> > 	server role = member server
> > 	template homedir = /home/%D/%U
> > 	template shell = /bin/bash
> > 	winbind enum groups = Yes
> > 	winbind enum users = Yes
> 
> Same comment as the DCs
> 
> > 	winbind rpc only = Yes
> 
> I would remove the line above.
OK

> > 	winbind use default domain = Yes
> > 	workgroup = OFFICE
> > 	idmap config office : unix_primary_group = yes
> > 	idmap config office : unix_nss_info = yes
> > 	idmap config office : range = 1000-9999
> 
> The gidNumber you gave Domain Users (513) is outside the OFFICE
> range,
> so all your users will probably be getting IDs in the 10000-19999
> range.

I see, I didn't know it is restriction for groups too.


> > 	idmap config office : schema_mode = rfc2307
> > 	idmap config office : backend = ad
> > 	idmap config * : range = 10000-19999
> > 	idmap config * : backend = tdb
> > 	map acl inherit = Yes
> > 	store dos attributes = Yes
> > 	vfs objects = acl_xattr
> > 
> > [homes]
> > 	comment = Home Directories
> > 	inherit acls = Yes
> > 	read only = No
> > 	valid users = %S %D%w%S
> > 
> > 
> > on member - smbubu48:
> > ---------------------
> > sudo testparm -s
> > 
> > Load smb config files from /etc/samba/smb.conf
> > Loaded services file OK.
> > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
> > fallback)
> > 
> > Server role: ROLE_DOMAIN_MEMBER
> > 
> > # Global parameters
> > [global]
> > 	kdc enable fast = No
> > 	realm = OFFICE.COMPANY.COM
> > 	security = DOMAIN
> > 	server role = member server
> > 	template shell = /bin/bash
> > 	winbind enum groups = Yes
> > 	winbind enum users = Yes
> > 	winbind rpc only = Yes
> > 	winbind use default domain = Yes
> > 	workgroup = OFFICE
> > 	idmap config office : unix_primary_group = yes
> > 	idmap config office : unix_nss_info = yes
> > 	idmap config office : range = 1000-9999
> > 	idmap config office : schema_mode = rfc2307
> > 	idmap config office : backend = ad
> > 	idmap config * : range = 10000-19999
> > 	idmap config * : backend = tdb
> > 	map acl inherit = Yes
> > 	vfs objects = acl_xattr
> > 
> > 
> > [homes]
> > 	comment = Home Directories
> > 	inherit acls = Yes
> > 	read only = No
> > 	valid users = %S %D%w%S
> > 
> 
> same comments as the other Unix domain member.
> 
> If you use the 'ad' idmap backend', then the uidNumber & gidNumber
> attributes you add to AD will be used instead of the IDs allocated
> (on
> a first come basis) in idmap.ldb. However, they may not be used
> straight after you add them until you run 'net cache flush'.
> 
My biggest question was: 
why getent passwd show gid 513 for Samba AD users on MEMBER server
only.

It showed gid 100 for the same users on DC servers (why 100? this
number is not anywhere in configuration = some default)

This is answer:
run 'net cache flush'

after that gid on DCs and MEMBERs are the same. Thanks a lot.


> Whatever Unix IDs you add to AD, the 'OFFICE' range in the Unix
> domain
> members must reflect this, so as you appear to have given Domain
> Users
> the gidNumber '513', the range line in your Unix domain members
> should
> look something like this:
> 
> idmap config office : range = 500-9999
> 
> Which will mean that you cannot have any local Unix users except for
> root, so what happens if something goes wrong with AD and you need to
> login as a local Unix user ?
> 
As I'm preparing transform / upgrade old Samba3 (NT domain) to Samba AD
my main motivation was to let the same gidNumber for Domain Users. But
I can solve it other way.


I need set uidNumber/gidNumber manualy in AD, because there are used by
unix scripts for integration with other apps.


> I think you need to read this:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> Also has you do not seem to be using Unix home directories etc from
> AD,
> you might want to consider using the 'rid' idmap backend, that way
> you
> do not need to add anything extra to AD.
> 
> Rowland
>

More information about the samba mailing list