Re: [Samba] Making Linux and domain users the same
On Fri, 2013-03-08 at 13:48 -0500, Michael DePaulo wrote: Can somebody confirm that idmap_nss works on Samba4 in AD DC mode? It does not. However, you should just use nss_winbind on the DC, and so make your AD users local users that way. If nobody can, I can test it on my Samba 4.0.3 machine. Currently I'm editing idmap.ldb to map domain users to local unix users. Did you have a Samba domain before that? We should have done a similar mapping as part of the classicupgrade. The standard way of doing this is currently to set: idmap_ldb:use rfc2307=yes in the smb.conf, and use the uidNumber and gidNumber attributes in the directory. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Linux and domain users the same
Can somebody confirm that idmap_nss works on Samba4 in AD DC mode? If nobody can, I can test it on my Samba 4.0.3 machine. Currently I'm editing idmap.ldb to map domain users to local unix users. FYI, here is the current manpage: http://fossies.org/unix/misc/samba-4.0.3.tar.gz:a/samba-4.0.3/docs/manpages/idmap_nss.8 On Thu, Mar 7, 2013 at 5:16 AM, Tris Mabbs tm-samba201...@firstgrade.co.ukwrote: Hiya Phil, Thanks for the thanks, and you're most welcome :-) Even if it didn't provide you with a solution, hopefully it gave you some insight into what was going on. I'm really glad the simpler solution worked, and equally glad you've now got it all working - well done. Now just remember not to turn off NIS :-) Cheers, Tris. -Original Message- From: Phil [mailto:org-sa...@freed.com] Sent: 06 March 2013 10:14 To: Tris Mabbs Cc: samba Subject: Re: [Samba] Making Linux and domain users the same Thanks once again, Tris. As you see from the previous message, it turns out that there was a simple method to get what I needed. But I still appreciate your help, and the time you took to describe a complex solution in careful detail. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Linux and domain users the same
Hiya Phil, Thanks for the thanks, and you're most welcome :-) Even if it didn't provide you with a solution, hopefully it gave you some insight into what was going on. I'm really glad the simpler solution worked, and equally glad you've now got it all working - well done. Now just remember not to turn off NIS :-) Cheers, Tris. -Original Message- From: Phil [mailto:org-sa...@freed.com] Sent: 06 March 2013 10:14 To: Tris Mabbs Cc: samba Subject: Re: [Samba] Making Linux and domain users the same Thanks once again, Tris. As you see from the previous message, it turns out that there was a simple method to get what I needed. But I still appreciate your help, and the time you took to describe a complex solution in careful detail. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Linux and domain users the same
That did it! Thank you very much. For the benefit of those who come after, here's a bit more detail: If your Windows domain is WINDOMAIN, add these two lines to the global section of your smb.conf file: idmap config windomain : backend = nss idmap config windomain : range = 1000-99 This mapped the windows domain users to local NIS-based Unix users. This is what we needed, as users could now manipulate files in their own home directories from their Windows boxes. Notes: 1) In the idmap statements, the domain must (apparently) be lowercase. 2) In the range statement, make sure that the range of numbers includes all the UIDs of your users. In our case, we had a user with a Unix UID of 96 (bad sysadmin! bad!), so my idmap range was actually 96-99. I didn't confirm that this was necessary. 3) Caveat: One thing was missing: this does *not* fix the user's primary group membership. On our system, for instance, local users belong to the group user, but /Samba users belong to the group domain users. I haven't checked to see if they are also members of user (or of other Unix groups that the local user belongs to), since this wasn't something we needed. - Original Message - From: TAKAHASHI Motonobu mo...@monyo.com To: org-sa...@freed.com Cc: samba@lists.samba.org, tm-samba201...@firstgrade.co.uk Sent: Sunday, March 3, 2013 1:30:52 AM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Making Linux and domain users the same From: org-sa...@freed.com Date: Sat, 2 Mar 2013 08:44:34 -0500 (EST) Is your /etc/nsswitch.conf setup to use winbind? Yes -- and winbindd is running. $ ls -n total 4 -rw-r--r-- 112903 100 3 Mar 2 03:40 File_Created_In_Linux -rwxrw-rw- 1 16777217 16777216 3 Mar 1 13:12 File_Created_In_Windows And: [global] idmap uid = 16777216-33554431 So your joe user is picking up an IDMAPped UID. That's expected behaviour unless Samba is told any other way to map the name to a Unix UID - it needs to get that information from somewhere. Use idmap_nss instead of idmap_tdb (default). idmap_nss picks uid/gid from /etc/passwd or its altinatives (such as NIS), instead of generating its own value. --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo facebook.com/takahashi.motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Linux and domain users the same
Thanks once again, Tris. As you see from the previous message, it turns out that there was a simple method to get what I needed. But I still appreciate your help, and the time you took to describe a complex solution in careful detail. - Original Message - From: Tris Mabbs tm-samba201...@firstgrade.co.uk To: Phil Freed u...@freed.com Sent: Saturday, March 2, 2013 6:22:35 PM GMT -05:00 US/Canada Eastern Subject: RE: [Samba] Making Linux and domain users the same Hiya Phil, Glad the message may have been of some interest or use :-) If you mean we need a separate LDAP server, I can set that up - no, no need for that, your PDC will quite happily be doing that for you already and that should be sufficient. The only issue you *might* have with using it is if you do have to disable VLVs within LDAP (and you may not - depends largely on your Linux LDAP client if I remember rightly), you may have problems if you're also running Exchange 2010 - Exchange tends to require VLVs enabled for looking up address books and the like. If you're not running Exchange, it won't be a problem even if you do have to disable VLVs. Best thing is follow the Linux doc.s to setup LDAP (if it isn't already, and from the sound of things it may be in your inherited setup!); if you hit problems, search the M$ KBs for disabling VLV (I think M$ call it Virtual List View). It's something like run adsiedit.msc, expand Configuration[DomainController], expand CN=Configuration,DC=DomainName, expand CN=Services, expand CNWindows NT; right-click CN=Directory Service and pick Properties, in Attributes, click msds-Other-Settings and pick Edit; scroll through the values until you find any DisableVLVSupport=x (where 'x'=0) and change 'x' to 1; if there is no DisableVLVSupport= entry, create one and set it to 1. Or something like that; you may not even need to do it. It's all actually somewhat less complicated than it sounds ... If you can get the LDAP client configuration correct, and figure out what you actually need from the example I posted, it should all just snap into place and start working. Then you'll sit back, scratch your head and think Well, if it was that easy, why couldn't I get it working before? :-) Been there, done that - took be bloomin' ages to get a configuration that worked properly in our setup but now I have it all looks so simple! ... abandon this and write a setfacl script to allow both users to access files in the home directories ... - ah, yes - word of warning about that ... The IDMAP mappings are (potentially) transitory, so you may find that suddenly people can't access things again ... By then, of course, you'll have forgotten how and why you did it (if you're anything like me) and it'll be even more frustrating ... It really does all work very well, when you have it working - until then, it's a right b!tch ... Still, I'm sure you'll get there :-) Good luck! Tris. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Making Linux and domain users the same
I have a set of Linux boxes with (nearly) working Samba configurations. Windows users can get in and work with shares. My one problem is that the local user joe is not the same as the domain user that logs into Samba. And that means that users cannot access their own home directories, unless I relax the Linux permissions. This is not surprising, given the way Samba was configured -- but the question now is how can I fix it? I have played with the usermap, but haven't gotten that to work. And I would prefer not to have to map every user on every target box; there are a lot of them. It seems likely that there should be a global solution to this. The evidence for the problem is clear. Below is a listing of directory containing two files: one created under by the local Linux user, and one created by the same user on a Windows box connecting to the share: $ ls -l total 4 -rw-r--r-- 1 joeusers3 Mar 2 03:40 File_Created_In_Linux -rwxrw-rw- 1 joedomain users 3 Mar 1 13:12 File_Created_In_Windows $ ls -n total 4 -rw-r--r-- 112903 100 3 Mar 2 03:40 File_Created_In_Linux -rwxrw-rw- 1 16777217 16777216 3 Mar 1 13:12 File_Created_In_Windows And here is the Samba config: [global] workgroup = X realm = X.com netbios aliases = X security = DOMAIN password server = X wins server = X ldap ssl = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template homedir = /usr/acct/%U template shell = /bin/tcsh winbind cache time = 5 winbind use default domain = Yes create mask = 0777 directory mask = 0777 [myshare] path = /shares/test read only = No [homes] read only = No -- Thanks in advance for any light you might shine on this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Linux and domain users the same
On Sat, Mar 2, 2013 at 4:21 AM, org-sa...@freed.com wrote: I have a set of Linux boxes with (nearly) working Samba configurations. Windows users can get in and work with shares. My one problem is that the local user joe is not the same as the domain user that logs into Samba. And that means that users cannot access their own home directories, unless I relax the Linux permissions. This is not surprising, given the way Samba was configured -- but the question now is how can I fix it? I have played with the usermap, but haven't gotten that to work. And I would prefer not to have to map every user on every target box; there are a lot of them. It seems likely that there should be a global solution to this. The evidence for the problem is clear. Below is a listing of directory containing two files: one created under by the local Linux user, and one created by the same user on a Windows box connecting to the share: $ ls -l total 4 -rw-r--r-- 1 joeusers3 Mar 2 03:40 File_Created_In_Linux -rwxrw-rw- 1 joedomain users 3 Mar 1 13:12 File_Created_In_Windows $ ls -n total 4 -rw-r--r-- 112903 100 3 Mar 2 03:40 File_Created_In_Linux -rwxrw-rw- 1 16777217 16777216 3 Mar 1 13:12 File_Created_In_Windows And here is the Samba config: [global] workgroup = X realm = X.com netbios aliases = X security = DOMAIN password server = X wins server = X ldap ssl = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template homedir = /usr/acct/%U template shell = /bin/tcsh winbind cache time = 5 winbind use default domain = Yes create mask = 0777 directory mask = 0777 [myshare] path = /shares/test read only = No [homes] read only = No -- Thanks in advance for any light you might shine on this. Is your /etc/nsswitch.conf setup to use winbind? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Linux and domain users the same
Is your /etc/nsswitch.conf setup to use winbind? Yes -- and winbindd is running. passwd: files nis winbind group: files nis winbind Without winbindd, I don't think Windows users could access the shares at all. It's a good question, though; you have reminded me to mention that the users in question aren't actually local, they come into the system via NIS -- managed by a very old Solaris 6 machine. (!) Don't ask why we're doing it this way; I've inherited the network. I might be able to eliminate NIS authentication, but things are so entwined that I'm reluctant to do so before I've updated some of the other systems. (I don't think NIS changes anything about this question, but it's better to have all the facts.) - Original Message - From: John Drescher dresche...@gmail.com To: org-sa...@freed.com, samba samba@lists.samba.org Sent: Saturday, March 2, 2013 7:38:56 AM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Making Linux and domain users the same On Sat, Mar 2, 2013 at 4:21 AM, org-sa...@freed.com wrote: I have a set of Linux boxes with (nearly) working Samba configurations. Windows users can get in and work with shares. My one problem is that the local user joe is not the same as the domain user that logs into Samba. And that means that users cannot access their own home directories, unless I relax the Linux permissions. This is not surprising, given the way Samba was configured -- but the question now is how can I fix it? I have played with the usermap, but haven't gotten that to work. And I would prefer not to have to map every user on every target box; there are a lot of them. It seems likely that there should be a global solution to this. The evidence for the problem is clear. Below is a listing of directory containing two files: one created under by the local Linux user, and one created by the same user on a Windows box connecting to the share: $ ls -l total 4 -rw-r--r-- 1 joeusers3 Mar 2 03:40 File_Created_In_Linux -rwxrw-rw- 1 joedomain users 3 Mar 1 13:12 File_Created_In_Windows $ ls -n total 4 -rw-r--r-- 112903 100 3 Mar 2 03:40 File_Created_In_Linux -rwxrw-rw- 1 16777217 16777216 3 Mar 1 13:12 File_Created_In_Windows And here is the Samba config: [global] workgroup = X realm = X.com netbios aliases = X security = DOMAIN password server = X wins server = X ldap ssl = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template homedir = /usr/acct/%U template shell = /bin/tcsh winbind cache time = 5 winbind use default domain = Yes create mask = 0777 directory mask = 0777 [myshare] path = /shares/test read only = No [homes] read only = No -- Thanks in advance for any light you might shine on this. Is your /etc/nsswitch.conf setup to use winbind? John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Linux and domain users the same
Hiya, Your output shows: $ ls -n total 4 -rw-r--r-- 112903 100 3 Mar 2 03:40 File_Created_In_Linux -rwxrw-rw- 1 16777217 16777216 3 Mar 1 13:12 File_Created_In_Windows And: [global] idmap uid = 16777216-33554431 So your joe user is picking up an IDMAPped UID. That's expected behaviour unless Samba is told any other way to map the name to a Unix UID - it needs to get that information from somewhere. This should work when you can get wbinfo --uid-info 12903 to give you sensible looking information for your joe user. How do you get to that stage? Well, someone who knows Samba better than I do (so just about anyone ...) can probably correct this, and doubtless say Good grief, don't do it like THAT!, but what we use is: smb.conf: passdb backend = tdbsam idmap config MYDOMAIN : backend = ad idmap config MYDOMAIN : range = 100-99 idmap config MYDOMAIN : schema_mode = rfc2307 idmap config MYDOMAIN : default = yes idmap config * : backend = tdb idmap config * : range = 100-199 map untrusted to domain = yes ldap ssl = no ldapsam:trusted = yes ldapsam:editposix = yes # DN used to contact LDAP server. # MUST HAVE PASSWORD SET IN secrets.tdb (using smbpasswd -W)! ldap admin dn = CN=LDAP_access_user,CN=Users,DC=MYDOMAIN,DC=COM # Set the LDAP connection timeout (allowing for slow responses). ldap connection timeout = 60 # LDAP information. ldap suffix = DC=MYDOMAIN,DC=COM ldap user suffix = OU=Users ldap group suffix = OU=Groups ldap machine suffix = OU=Computers ldap idmap suffix = OU=Idmap (obviously replace the DC=MYDOMAIN,DC=COM type bits with your own information). You'll then need a user, LDAP_access_user in my example, who has read access to LDAP. Set their password on your Samba server using smbpasswd -W (so smbpasswd knows how to authenticate as that user). Then make sure you have Identity services for Unix (or whatever it's called on whichever version of Windows Server you're using on your PDC - Primary Domain Controller - your AD server(s)) installed. Then, in the user-properties (Active Directory Users and Computers) you'll have a bunch of Unix settings you can specify. These will include UID, GID, home directory, shell, etc. You can do it without loading Identity Services for Unix, but it means potentially going in and editing the LDAP information (not recommended unless you know what you're doing), and possibly even the LDAP schema (really not recommended unless ...). Identity Services for Unix sets all that up for you and gives you a nice, easy way to access the appropriate LDAP objects, in the RFC2307 schema. This is just one way to configure this, with an LDAP connection (NOT using SSL in our case, as it's completely inside a multiply firewalled network with users who aren't going to poke LDAP themselves - I haven't been bothered to set up the certificates etc. required for an SSL LDAP session so you need to be aware that what I've listed above uses unencrypted LDAP queries! Oh, you may need to enable that on your PDC as it might be disabled, depending on how you currently have it configured - there's M$ documentation that's easy to find about how to do that). When an ID mapping is required, an LDAP query is made to find the RFC2307 schema Unix information in AD; that's then used to provide the information to Samba. This does have a few Gotcha!s to be aware of: 1) That configuration is from a Samba 4 smb.conf file. Your mileage may vary depending on what version of Samba you're running. 2) It uses unencrypted LDAP queries. Yes, I know I've already mentioned that but it is a very important point. 3) It uses map untrusted to domain = yes - that's appropriate for the setup I'm running but you will want to check the documentation as to whether or not that's appropriate, or required, for your network. 4) You may need to disable VLV (Volume Level View) queries on your LDAP (AD) server. That may or may not be a problem; it probably will be if you're running Exchange 2010. Beware ... 5) This is just one approach, which I threw together to meet our specific needs. There are undoubtedly better ways to do this! 6) DON'T JUST BLINDLY COPY THAT INFORMATION, READ THE APPROPRIATE DOCUMENTATION AND MAKE SURE YOU UNDERSTAND WHAT IS BEING CONFIGURED! I mean, that's just plain common-sense anyway - don't blindly take my, or anyone else', word for how you should configure anything ... And don't blame me if it goes wrong :-) There is quite a bit of documentation on the Samba pages about how to do this sort of thing - you should check them first/as well. Hopefully this might at least point you in the right direction and give you a suitable starting point. Good luck :-) Tris. Ps. If you're stuck using NIS with your old Slowlaris machine, you
Re: [Samba] Making Linux and domain users the same
One other quick point ... I assume you've got a working LDAP configuration, because your smb.conf included a reference to not using LDAP ssl. If you *haven't* already got a working LDAP configuration, you'll need to set that up first. There's plenty of documentation out there on how to do that on Linux; make sure you set a bind user which matches the (example) LDAP_access_user in the smb.conf file. Check that that works with a suitable LDAP query command (that'll be in the documentation) before trying to get your Samba configuration to work, or you'll get nowhere fast ... You don't actually need a user like that if you're allowing anonymous LDAP binds, but that isn't really recommended (and will doubtless cause loads of warnings to be logged in your PDC event log). Windows doesn't particularly like non-SSL LDAP queries; it *really* doesn't like *anonymous* non-SSL LDAP queries ... That is, of course, if you decide to go a similar way to the example I sent earlier and not some better way anyway :-) Good luck! Tris. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Linux and domain users the same
Hmm. On second reading, I see you have me loading Identity Services for Unix on the PDCs. Not a big deal, but the PDCs are another admin's, ummm, domain. I don't want to touch them without without checking in first. So this will have to wait till Monday, at least. - Original Message - From: Phil Freed u...@freed.com To: Tris Mabbs tm-samba201...@firstgrade.co.uk Sent: Saturday, March 2, 2013 7:06:29 PM GMT -05:00 US/Canada Eastern Subject: Re: [Samba] Making Linux and domain users the same Thanks again, Tris. Your notes seem most thorough. I especially like the fact that you started with a simple test so I would know when things were working; neat! Based on this, I'm about to embark on a two-hour tour -- one hour less than the ill-fated S.S. Minnow, so maybe I'll be OK. As for the setfacl script: my plan was to set it up in cron on each of the key systems. That way if they added a user and forgot about permissions, it would automagically fix things. I hadn't thought about the IDMAP changing, but the script can take care of that as well. But ouch! This is sloppy, sloppy, sloppy; a most unsatisfactory way of doing business. If it were not for the time limitations, I would never consider it beyond a temporary band-aid. Thanks, and wish me luck. - Original Message - From: Tris Mabbs tm-samba201...@firstgrade.co.uk To: Phil Freed u...@freed.com Sent: Saturday, March 2, 2013 6:22:35 PM GMT -05:00 US/Canada Eastern Subject: RE: [Samba] Making Linux and domain users the same Hiya Phil, Glad the message may have been of some interest or use :-) If you mean we need a separate LDAP server, I can set that up - no, no need for that, your PDC will quite happily be doing that for you already and that should be sufficient. The only issue you *might* have with using it is if you do have to disable VLVs within LDAP (and you may not - depends largely on your Linux LDAP client if I remember rightly), you may have problems if you're also running Exchange 2010 - Exchange tends to require VLVs enabled for looking up address books and the like. If you're not running Exchange, it won't be a problem even if you do have to disable VLVs. Best thing is follow the Linux doc.s to setup LDAP (if it isn't already, and from the sound of things it may be in your inherited setup!); if you hit problems, search the M$ KBs for disabling VLV (I think M$ call it Virtual List View). It's something like run adsiedit.msc, expand Configuration[DomainController], expand CN=Configuration,DC=DomainName, expand CN=Services, expand CNWindows NT; right-click CN=Directory Service and pick Properties, in Attributes, click msds-Other-Settings and pick Edit; scroll through the values until you find any DisableVLVSupport=x (where 'x'=0) and change 'x' to 1; if there is no DisableVLVSupport= entry, create one and set it to 1. Or something like that; you may not even need to do it. It's all actually somewhat less complicated than it sounds ... If you can get the LDAP client configuration correct, and figure out what you actually need from the example I posted, it should all just snap into place and start working. Then you'll sit back, scratch your head and think Well, if it was that easy, why couldn't I get it working before? :-) Been there, done that - took be bloomin' ages to get a configuration that worked properly in our setup but now I have it all looks so simple! ... abandon this and write a setfacl script to allow both users to access files in the home directories ... - ah, yes - word of warning about that ... The IDMAP mappings are (potentially) transitory, so you may find that suddenly people can't access things again ... By then, of course, you'll have forgotten how and why you did it (if you're anything like me) and it'll be even more frustrating ... It really does all work very well, when you have it working - until then, it's a right b!tch ... Still, I'm sure you'll get there :-) Good luck! Tris. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Making Linux and domain users the same
From: org-sa...@freed.com Date: Sat, 2 Mar 2013 08:44:34 -0500 (EST) Is your /etc/nsswitch.conf setup to use winbind? Yes -- and winbindd is running. $ ls -n total 4 -rw-r--r-- 112903 100 3 Mar 2 03:40 File_Created_In_Linux -rwxrw-rw- 1 16777217 16777216 3 Mar 1 13:12 File_Created_In_Windows And: [global] idmap uid = 16777216-33554431 So your joe user is picking up an IDMAPped UID. That's expected behaviour unless Samba is told any other way to map the name to a Unix UID - it needs to get that information from somewhere. Use idmap_nss instead of idmap_tdb (default). idmap_nss picks uid/gid from /etc/passwd or its altinatives (such as NIS), instead of generating its own value. --- TAKAHASHI Motonobu mo...@monyo.com / @damemonyo facebook.com/takahashi.motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba