[Samba] RFC2307, AD, and Samba 3.6
Hi all, I'm still struggling with getting samba 3.6 to use the uids and gids from my Active Directory 2008 R2 setup. I can see the users, I just can't get their UIDs mapped onto my linux machine. I've configured AD to use it's "services for unix" feature, and through that, I got a "Unix Attributes" tab where I could enter fields like uid, home dir, shell, and primary GID. My few questions: 1. Am I supposed to configure Samba to use rfc2307, or sfu? 2. As you can see in my config, below, I've configured an idmap range for the AD domain. It seems to be ignored, and instead, my users get placed in the wildcard domain's idmap range. 3. I found some advice (don't remember where) to try to delete these files when I change this part of my config: /var/run/samba/gencache* /var/cache/samba/winbindd_cache.tdb /var/lib/samba/winbindd_idmap.tdb Any thoughts about the need/value to delete these temp files is appreciated. 4. Finally, does anyone have suggestions of other things I can try? thanks very much. best, -Nick [global] (from my smb.conf) workgroup = CORP server string = %h server (Samba, Ubuntu) security = ADS realm = CORP.xxx.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES winbind nested groups = YES winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 winbind refresh tickets = yes idmap config CORP : backend = ad idmap config CORP : schema_mode = rfc2307 #idmap config CORP : range = 1000 - 9 idmap config * : default = yes #idmap config * : backend = tdb #idmap config * : range = 10 - 19 idmap config * : range = 900 - 1999 encrypt passwords = true obey pam restrictions = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 When I perform an ldapsearch against my server, I see these attributes, among others: msSFU30Name: nick msSFU30NisDomain: corp uidNumber: 1001 gidNumber: 1000 unixHomeDirectory: /home/nick loginShell: /bin/bash -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RFC2307, AD, and Samba 3.6
Hi, Hi all, I'm still struggling with getting samba 3.6 to use the uids and gids from my Active Directory 2008 R2 setup. I can see the users, I just can't get their UIDs mapped onto my linux machine. I've configured AD to use it's "services for unix" feature, and through that, I got a "Unix Attributes" tab where I could enter fields like uid, home dir, shell, and primary GID. My few questions: 1. Am I supposed to configure Samba to use rfc2307, or sfu? 2. As you can see in my config, below, I've configured an idmap range for the AD domain. It seems to be ignored, and instead, my users get placed in the wildcard domain's idmap range. 3. I found some advice (don't remember where) to try to delete these files when I change this part of my config: /var/run/samba/gencache* /var/cache/samba/winbindd_cache.tdb /var/lib/samba/winbindd_idmap.tdb Any thoughts about the need/value to delete these temp files is appreciated. 4. Finally, does anyone have suggestions of other things I can try? thanks very much. best, -Nick According to man idmap_ad you should have a generic idmap backend line as well, like: idmap backend = tdb idmap uid range = some uninteresting range idmap gid range = some uninteresting range I've wrote uninteresting range, because you should specify a range you haven't placed you users via ADUC [global] (from my smb.conf) workgroup = CORP server string = %h server (Samba, Ubuntu) security = ADS realm = CORP.xxx.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES winbind nested groups = YES winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 winbind refresh tickets = yes idmap config CORP : backend = ad idmap config CORP : schema_mode = rfc2307 #idmap config CORP : range = 1000 - 9 idmap config * : default = yes #idmap config * : backend = tdb #idmap config * : range = 10 - 19 idmap config * : range = 900 - 1999 encrypt passwords = true obey pam restrictions = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 When I perform an ldapsearch against my server, I see these attributes, among others: msSFU30Name: nick msSFU30NisDomain: corp uidNumber: 1001 gidNumber: 1000 unixHomeDirectory: /home/nick loginShell: /bin/bash Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RFC2307, AD, and Samba 3.6
On 12/08/12 15:26, Gémes Géza wrote: Hi, Hi all, I'm still struggling with getting samba 3.6 to use the uids and gids from my Active Directory 2008 R2 setup. I can see the users, I just can't get their UIDs mapped onto my linux machine. I've configured AD to use it's "services for unix" feature, and through that, I got a "Unix Attributes" tab where I could enter fields like uid, home dir, shell, and primary GID. My few questions: 1. Am I supposed to configure Samba to use rfc2307, or sfu? 2. As you can see in my config, below, I've configured an idmap range for the AD domain. It seems to be ignored, and instead, my users get placed in the wildcard domain's idmap range. 3. I found some advice (don't remember where) to try to delete these files when I change this part of my config: /var/run/samba/gencache* /var/cache/samba/winbindd_cache.tdb /var/lib/samba/winbindd_idmap.tdb Any thoughts about the need/value to delete these temp files is appreciated. 4. Finally, does anyone have suggestions of other things I can try? thanks very much. best, -Nick According to man idmap_ad you should have a generic idmap backend line as well, like: idmap backend = tdb idmap uid range = some uninteresting range idmap gid range = some uninteresting range S3.6 complains about deprecation here and only accepts the gid range. I've wrote uninteresting range, because you should specify a range you haven't placed you users via ADUC [global] (from my smb.conf) workgroup = CORP server string = %h server (Samba, Ubuntu) security = ADS realm = CORP.xxx.COM allow trusted domains = yes winbind use default domain = yes winbind nested groups = YES winbind nested groups = YES winbind enum groups = yes winbind enum users = yes winbind nss info = rfc2307 winbind refresh tickets = yes idmap config CORP : backend = ad idmap config CORP : schema_mode = rfc2307 #idmap config CORP : range = 1000 - 9 idmap config * : default = yes #idmap config * : backend = tdb #idmap config * : range = 10 - 19 idmap config * : range = 900 - 1999 encrypt passwords = true obey pam restrictions = yes client use spnego = yes client ntlmv2 auth = yes encrypt passwords = true restrict anonymous = 2 When I perform an ldapsearch against my server, I see these attributes, among others: msSFU30Name: nick msSFU30NisDomain: corp uidNumber: 1001 gidNumber: 1000 unixHomeDirectory: /home/nick loginShell: /bin/bash Regards Geza Hi Here is a 3.6.3 config that works against Samba4 AD. There is no need for m$ sfu. 2008 R2 and Samba4 both allow full rfc2307 out of the box: [global] realm = polop.site workgroup = ALTEA security = ADS winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes #winbind use default domain = Yes HTH Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RFC2307, AD, and Samba 3.6
Thanks very much. For some reason, this time, when I uncommented those idmap range lines, it all worked. Steve, to use rfc2307 out of the box, how do I specify uids for my users? I installed sfu to get the tab in the Users & Computers where I could set stuff like shell, uid, etc. thanks, -Nick On Aug 12, 2012, at 6:26 AM, Gémes Géza wrote: > Hi, >> Hi all, >> >> I'm still struggling with getting samba 3.6 to use the uids and gids from my >> Active Directory 2008 R2 setup. I can see the users, I just can't get their >> UIDs mapped onto my linux machine. >> >> I've configured AD to use it's "services for unix" feature, and through >> that, I got a "Unix Attributes" tab where I could enter fields like uid, >> home dir, shell, and primary GID. >> >> My few questions: >> >> 1. Am I supposed to configure Samba to use rfc2307, or sfu? >> 2. As you can see in my config, below, I've configured an idmap range for >> the AD domain. It seems to be ignored, and instead, my users get placed in >> the wildcard domain's idmap range. >> 3. I found some advice (don't remember where) to try to delete these files >> when I change this part of my config: >> /var/run/samba/gencache* >> /var/cache/samba/winbindd_cache.tdb >> /var/lib/samba/winbindd_idmap.tdb >> Any thoughts about the need/value to delete these temp files is >> appreciated. >> 4. Finally, does anyone have suggestions of other things I can try? >> >> thanks very much. >> >> best, >> -Nick > According to man idmap_ad you should have a generic idmap backend line as > well, like: > > idmap backend = tdb > idmap uid range = some uninteresting range > idmap gid range = some uninteresting range > > I've wrote uninteresting range, because you should specify a range you > haven't placed you users via ADUC >> [global] (from my smb.conf) >>workgroup = CORP >>server string = %h server (Samba, Ubuntu) >> >>security = ADS >>realm = CORP.xxx.COM >>allow trusted domains = yes >>winbind use default domain = yes >>winbind nested groups = YES >>winbind nested groups = YES >>winbind enum groups = yes >>winbind enum users = yes >>winbind nss info = rfc2307 >>winbind refresh tickets = yes >>idmap config CORP : backend = ad >>idmap config CORP : schema_mode = rfc2307 >>#idmap config CORP : range = 1000 - 9 >>idmap config * : default = yes >>#idmap config * : backend = tdb >>#idmap config * : range = 10 - 19 >>idmap config * : range = 900 - 1999 >> >>encrypt passwords = true >> >>obey pam restrictions = yes >>client use spnego = yes >>client ntlmv2 auth = yes >>encrypt passwords = true >>restrict anonymous = 2 >> >> When I perform an ldapsearch against my server, I see these attributes, >> among others: >> >> msSFU30Name: nick >> msSFU30NisDomain: corp >> uidNumber: 1001 >> gidNumber: 1000 >> unixHomeDirectory: /home/nick >> loginShell: /bin/bash >> > Regards > > Geza > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RFC2307, AD, and Samba 3.6
On 08/12/2012 08:49 PM, Nick Triantos wrote: Thanks very much. For some reason, this time, when I uncommented those idmap range lines, it all worked. Steve, to use rfc2307 out of the box, how do I specify uids for my users? I installed sfu to get the tab in the Users & Computers where I could set stuff like shell, uid, etc. thanks, -Nick Hi Nick We just wrote a quick script add users and setup some sensible defaults: In this example: Our unixHomeDirectory is under /home2 and we gave the Domain Users group a gidNumber of 20513 Or DC is called hh3. samba-tool user add $1 echo Updating directory with uid $uid sleep 1 echo "dn: cn=$1,cn=Users,dc=hh3,dc=site changetype: modify add: objectClass objectClass: posixAccount - add: uidNumber uidNumber: $uid - add: gidNumber gidNumber: 20513 - add: unixHomeDirectory unixHomeDirectory: /home2/$2/$1 - add: loginShell loginShell: /bin/bash - add: profilePath profilePath: hh30\\profiles\\$1 - add: homeDirectory homeDirectory: hh30\\$2\\$1 - add: homeDrive homeDrive: Z:" > /tmp/$1 ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/$1 We also have a full script called s4bind which does everything for users and groups for you without ever touching a windows box: http://linuxcostablanca.blogspot.com.es/p/s4bind.html HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RFC2307, AD, and Samba 3.6
On 08/12/2012 08:49 PM, Nick Triantos wrote: Thanks very much. For some reason, this time, when I uncommented those idmap range lines, it all worked. Steve, to use rfc2307 out of the box, how do I specify uids for my users? I installed sfu to get the tab in the Users & Computers where I could set stuff like shell, uid, etc. thanks, -Nick Hi Nick Just knock up a quick script. Here's one we made using an idea from Geza. It's specific to our domain but you can easily change it: #!/bin/bash # get next uid getent passwd | cut -d ":" -f3 >/tmp/uid sort -n /tmp/uid -o /tmp/uid highuid=$(tail -1 /tmp/uid) uid=$(($highuid+1)) echo $uid $highuid # tidy up rm /tmp/uid samba-tool user add $1 echo Updating directory with uid $uid sleep 1 echo "dn: cn=$1,cn=Users,dc=hh3,dc=site changetype: modify add: objectClass objectClass: posixAccount - add: uidNumber uidNumber: $uid - add: gidNumber gidNumber: 20513 - add: unixHomeDirectory unixHomeDirectory: /home2/$2/$1 - add: loginShell loginShell: /bin/bash - add: profilePath profilePath: hh30\\profiles\\$1 - add: homeDirectory homeDirectory: hh30\\$2\\$1 - add: homeDrive homeDrive: Z:" > /tmp/$1 ldbmodify --url=/usr/local/samba/private/sam.ldb /tmp/$1 sleep 1 mkdir /home2/$2/$1 chown $uid:20513 /home2/$2/$1 #So we can login on the DC too if/when we use winbind ln -s /home2/$2/$1 /home/ALTEA samba-tool user setexpiry $1 --noexpiry echo $1 created sleep 1 getent passwd $1 There is a full blown (non domain specific) set of utilities for handling all AD objects from the DC without ever touching a m$ box here: http://linuxcostablanca.blogspot.com.es/p/s4bind.html HTH Steve http://linuxcostablanca.blogspot.com.es/p/s4bind.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
