Re: [Samba] Samba4 Winbind - is it really not possible to be sensible?
If you provision/run with idmap_ldb:use rfc2307 then you can assign each user/group a uidNumber/gidNumber which then is/can be obeyed by samba/nslcd. Sorry, I should have made myself more clear. Our current setup uses the nslcd approach to get the UIDs and GIDs as mapped from the RID of each object. We then feed that back into the LDAP database (as uidNumber and gidNumber attributes) along with setting idmap_ldb:use rfc2307 so that Samba4 gets the same UIDs and GIDs as from mapping the RID. But this is very much a fudge, and it does not make sense that Winbind shouldn't support this form of RID mapping, even though previous versions did support it. Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Winbind - is it really not possible to be sensible?
Thanks for the explanation - I wasn't thinking too much about multiple domains, and I guess it would be an issue. A potential solution would be to have offsets for each domain, specified in smb.conf? If I didn't have too much on my plate already I would have a look at the mapping code and attempt to write a solution myself. The 'solution' with the UID discrepancy between nslcd and Samba was to feed back the nslcd UID back into Samba, then tell Samba to use those UIDs instead. Oh, and while I am here I might as well bring a particular bug to your attention - when Samba is set to use rfc2307, but no uidNumber attribute exists for an object, the UID number gets allocated. But once a uidNumber attribute is set, and the allocation has already taken place, the allocated UID is used instead. I can't imagine that this is the desired behaviour with rfc2307. Thanks, Rob On 26/01/2013 7:25 PM, Matthieu Patou wrote: On 01/25/2013 11:43 AM, Rob McCorkell wrote: Samba3 allowed for the setting of idmaps and passdb backends to configure how users were pulled in. This made integrating with existing LDAP databases, other other forms of authentication easy, since Samba could be configured to present the same UID and GID as directly from the [insert other auth method here] system. All was good. Unfortunately Samba4 seems to have removed much of that functionality. I understand that in an AD context, passdb backend doesn't really make very much sense, so removing that was fair. What I do not understand is why Winbind cannot be configured to use certain idmaps, more specifically the RID mapping. First of all: resources, feel free to provide your implementation for the rid backend. Then also with AD winbindd we tried to not reproduce what has been done with the original winbindd where we had a lot of options and backend and after we realize that it wasn't such a good fit. And having discussed about it for a long time RID backend is the perfect example of the backend that seems very interesting at first glance but that is not so in the long run as it works well only when you have 1 domain. We are still thinking on a RID like solution but that would scale with more than one domain. This would make it significantly easier to integrate LDAP authenticating clients into Samba4, for example using nslcd to map the UIDs and GIDs. The current implementation is forced into using allocated *IDs, which are not consistent across machines. But all in all this is not a big problem, since although machines get different *IDs, they use the CIFS protocol which uses usernames instead, so each machine knows who a user is. The problem is when a server that runs Samba4 as a file server uses LDAP to get user information. When a client connects, Samba4 the user UID which is allocated. Samba4 then finds the home share, but since the UID on the home share (dutifully mapped by nslcd from the RID on the end of the objectSid) doesn't match the allocated one, it refuses access. Can you configure nslcd to use the uidNumber/gidNumber ? if so one solution could be (but just for samba only domain controller) to have a mechanism that feeds back the randomly generated uid back to the uidNumber fields All that nslcd does in this case is map a UID to the RID from the objectSid in LDAP. This is a very simple mapping - just get the end of the string, where the first bit is the domain SID. Samba3 supported RID mapping in this fashion, but I do not understand why this was not ported across to Samba4. It would only change the UIDs and GIDs as seen by Samba, which as far as I know are used very little within Samba, where the objectSid is used instead. Of course, it could be that I have a massive misunderstanding of the internals of Samba4, and there is a reason why this functionality wasn't brought across. No you don't but for the AD part we have for the moment a pretty limited set of method to allocate UIDs/GIDs, sorry! Matthieu. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 Winbind - is it really not possible to be sensible?
Samba3 allowed for the setting of idmaps and passdb backends to configure how users were pulled in. This made integrating with existing LDAP databases, other other forms of authentication easy, since Samba could be configured to present the same UID and GID as directly from the [insert other auth method here] system. All was good. Unfortunately Samba4 seems to have removed much of that functionality. I understand that in an AD context, passdb backend doesn't really make very much sense, so removing that was fair. What I do not understand is why Winbind cannot be configured to use certain idmaps, more specifically the RID mapping. This would make it significantly easier to integrate LDAP authenticating clients into Samba4, for example using nslcd to map the UIDs and GIDs. The current implementation is forced into using allocated *IDs, which are not consistent across machines. But all in all this is not a big problem, since although machines get different *IDs, they use the CIFS protocol which uses usernames instead, so each machine knows who a user is. The problem is when a server that runs Samba4 as a file server uses LDAP to get user information. When a client connects, Samba4 the user UID which is allocated. Samba4 then finds the home share, but since the UID on the home share (dutifully mapped by nslcd from the RID on the end of the objectSid) doesn't match the allocated one, it refuses access. All that nslcd does in this case is map a UID to the RID from the objectSid in LDAP. This is a very simple mapping - just get the end of the string, where the first bit is the domain SID. Samba3 supported RID mapping in this fashion, but I do not understand why this was not ported across to Samba4. It would only change the UIDs and GIDs as seen by Samba, which as far as I know are used very little within Samba, where the objectSid is used instead. Of course, it could be that I have a massive misunderstanding of the internals of Samba4, and there is a reason why this functionality wasn't brought across. Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 LDAP ACLs - access to POSIX attributes from a non-admin account
Sorry for the late reply - was running it through testing in our environment. But so far it seems to be working a treat! Thanks for this, much appreciated. Rob On 15/12/12 16:42, Thomas Simmons wrote: Hello Rob, You can enable anonymous binding to AD by creating the attribute dsHeuristics with a value of 002001001 under the DN: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration The Microsoft instructions mention below mention using the ADSI Edit tool on Windows, but it can be done with any LDAP editing tool. I just tested this on S4 and it appears to work. See: http://technet.microsoft.com/en-us/library/cc816788(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc816788%28v=ws.10%29.aspx -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 LDAP ACLs - access to POSIX attributes from a non-admin account
On 15/12/12 13:31, Achim Gottinger wrote: It might work if you give Anonymous full read Access to the cn=Users branch via AD User and Group management. How is it possible to do this from the Samba4 server? Unfortunately Windows is out of the question here, because this will be part of Karoshi Server which will be distributed as a self-contained Linux distribution. Therefore the ideal solution would be either direct LDAP modification, or use of samba-tool or other utilities. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 LDAP ACLs - access to POSIX attributes from a non-admin account
In our current testing environment, we are using nslcd to get user and group information from the Samba4 LDAP server, using the last part of objectSid as uidNumber. The configuration is designed to pull down unixHomeDirectory and loginShell if they exist, but they default to standard values if they do not. nslcd on each machine binds to LDAP using a dedicated user account, nslcd-service, and the entire setup works pretty well. But now we have run into a problem - although both POSIX attributes exists on a particular user (ismith in this case) they cannot be read by the machine using nslcd-service to bind to the LDAP directory. After further testing, we found that binding as Administrator makes the attributes show up - in fact adding nslcd-service to 'Domain Admins' group also lets it see those attributes. Unfortunately both of these options are a huge security risk - any server that becomes compromised can effectively take control of the Samba4 domain and server, and in turn take out the rest of the network. It seems strange that all normal attributes are perfectly readable by any user, while the manually added POSIX attributes are not. I do not know enough about AD configuration to figure out where the ACLs are stored for this, and documentation has been scarce to say the least. Thus I have come to this mailing list for guidance. An alternative strategy would be to enable anonymous binding on the LDAP server, but the (slightly less scarce) documentation shows that to do that requires each entry be specifically set to allow this, which seems to be more hassle than it is worth. Any help on this would also be greatly appreciated. Thanks, Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 LDAP ACLs - access to POSIX attributes from a non-admin account
On the samba-technical mailing list there is this exact problem detailed, so your help is no longer needed to configure reading of unixHomeDirectory and loginShell by other users, but the question about anonymous access still stands - it would be much better for each client to have anonymous access to LDAP rather than needing the dedicated user, which brings with it security holes. On 14/12/12 18:03, Rob McCorkell wrote: In our current testing environment, we are using nslcd to get user and group information from the Samba4 LDAP server, using the last part of objectSid as uidNumber. The configuration is designed to pull down unixHomeDirectory and loginShell if they exist, but they default to standard values if they do not. nslcd on each machine binds to LDAP using a dedicated user account, nslcd-service, and the entire setup works pretty well. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
