[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
Hi Doug, i read your mail intently and would thank you for your detailed illustration. ;-) I would change the parameter you suggest and would do some more tests to verify for my comprehension. Bye, Andy Doug VanLeuven schrieb: Andreas Ladanyi wrote: There is one UNIX attribute tab and one Members Of tab. During some tests we discover the following facts = In UNIX attribute tab: winbind is only interested in the UID field - in ldap tree the attribute uidnumber. If you're talking SFU, it doesn't use uidnumber. It uses attribute msSFU30UidNumber and displays UID on the Unix Attributes tab. I don't have a Windows 2003 R2 for comparison. Are you really using SFU (Services For Unix 3.0) or do you have the newer 2003 R2? I use 2003 R2 and did install the Unix plugin for AD schemata extension from Windows component setup. OK. You probably have the rfc2307 attributes. From rfc2307: 2.2. Attributes The attributes and classes defined in this document are summarized below. The following attributes are defined in this document: uidNumber gidNumber gecos homeDirectory loginShell ...(more attributes)... This isn't winbind nss info = sfu template, it's nss info = rfc2307 template SFU is strictly for MS (c) Services for Unix which added alien attribute names to the tree. SFU attributes are named thus: msSFU30UidNumber msSFU30GidNumber msSFU30Gecos msSFU30HomeDirectory msSFU30LoginShell If I remember the idmap_ad code correctly, idmap_ad queries for each style attribute and remembers what it finds. For basic samba functionality, you don't need to know your windows schema extension. The winbind nss plugin will care though. Winbind will pick up the uidNumber for users and the gidNumber for groups but group membership will be determined by the windows group membership. The gid numbers of the windows groups will come from your unix tab. Put another way, winbind will lookup the SIDs of your windows group membership and lookup the gidNumber attribute for those SIDs. You only have to synchronize the unix tab group membership if you are using the windows NFS server. Windows will use those numbers when it exports NFS shares and sets NFS acls. I used perl LDAP scripting to check the synchronization, because I needed NFS shares in windows and wanted the acl permissions consistent. The other attributes from UNIX attribute tab are written to ldap tree, but not used by winbind on linux side. For example we set the following parameter in smb.conf: winbind nss info = sfu Of course we could define our own template bash/home with the template home and template shell parameter, but its better the sfu will work, so we would configure this parameter by the tab. Winbind only uses this parameter when it creates a Unix account. Which shouldn't happen for your AD domain members if your AD is mapped correctly. winbind uses this parameter only if it creates a unix account ? In case if i create a unix account with adduser on terminal ? The mapping seems to be correctly if i have a look at getent passwd + getent group The primary Group is written to the ldap tree but not used by winbind on the unix side. I meant the primary Group text field from: UNIX attribute tab seems to be NOT used by winbind. The primary group which you can set: by clicking the button primary group in Members Of tab IS USED by winbind perfectly. Iam sorry if my explanation wasnt clear at my last posting. # net ads testjoin Join is OK # wbinfo -i forest\\jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent passwd|grep jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent group|grep 100 FOREST\domain users:x:100: You can set the value msSFU30Gecos and winbind will report it, otherwise Display Name is used. In Members Of tab: In this tab you can choose a group from a list and there is a button you could set a Unix primary group by klicking. This will be read by winbind only. But this have no force to the primary group ID on the UNIX attribute tab. What do you say ? Did we configure something wrong ? Is this the normal function ? I needed to use the idmap config values: idmap domains = FOREST idmap config FOREST:readonly = yes idmap config FOREST:backend = ad idmap config FOREST:range = 0 - 2 idmap config FOREST:schema_mode = sfu idmap alloc backend = tdb idmap alloc config:range = 5-50999 and of course in nsswitch.conf: passwd: compat winbind group: compat winbind some people like to use files instead of compat, but that's about NIS semantics and doesn't matter to winbind. winbind separator = / winbind enum users = yes winbind enum groups = yes winbind cache time = 60 idmap backend = ad idmap uid = 6000-27000 idmap gid = 600-7000 template shell =
Re: [Samba] Re: ldapsearch and getent passd/group with nss winbind differs
Andreas Ladanyi wrote: There is one UNIX attribute tab and one Members Of tab. During some tests we discover the following facts = In UNIX attribute tab: winbind is only interested in the UID field - in ldap tree the attribute uidnumber. If you're talking SFU, it doesn't use uidnumber. It uses attribute msSFU30UidNumber and displays UID on the Unix Attributes tab. I don't have a Windows 2003 R2 for comparison. Are you really using SFU (Services For Unix 3.0) or do you have the newer 2003 R2? I use 2003 R2 and did install the Unix plugin for AD schemata extension from Windows component setup. OK. You probably have the rfc2307 attributes. From rfc2307: 2.2. Attributes The attributes and classes defined in this document are summarized below. The following attributes are defined in this document: uidNumber gidNumber gecos homeDirectory loginShell ...(more attributes)... This isn't winbind nss info = sfu template, it's nss info = rfc2307 template SFU is strictly for MS (c) Services for Unix which added alien attribute names to the tree. SFU attributes are named thus: msSFU30UidNumber msSFU30GidNumber msSFU30Gecos msSFU30HomeDirectory msSFU30LoginShell If I remember the idmap_ad code correctly, idmap_ad queries for each style attribute and remembers what it finds. For basic samba functionality, you don't need to know your windows schema extension. The winbind nss plugin will care though. Winbind will pick up the uidNumber for users and the gidNumber for groups but group membership will be determined by the windows group membership. The gid numbers of the windows groups will come from your unix tab. Put another way, winbind will lookup the SIDs of your windows group membership and lookup the gidNumber attribute for those SIDs. You only have to synchronize the unix tab group membership if you are using the windows NFS server. Windows will use those numbers when it exports NFS shares and sets NFS acls. I used perl LDAP scripting to check the synchronization, because I needed NFS shares in windows and wanted the acl permissions consistent. The other attributes from UNIX attribute tab are written to ldap tree, but not used by winbind on linux side. For example we set the following parameter in smb.conf: winbind nss info = sfu Of course we could define our own template bash/home with the template home and template shell parameter, but its better the sfu will work, so we would configure this parameter by the tab. Winbind only uses this parameter when it creates a Unix account. Which shouldn't happen for your AD domain members if your AD is mapped correctly. winbind uses this parameter only if it creates a unix account ? In case if i create a unix account with adduser on terminal ? The mapping seems to be correctly if i have a look at getent passwd + getent group The primary Group is written to the ldap tree but not used by winbind on the unix side. I meant the primary Group text field from: UNIX attribute tab seems to be NOT used by winbind. The primary group which you can set: by clicking the button primary group in Members Of tab IS USED by winbind perfectly. Iam sorry if my explanation wasnt clear at my last posting. # net ads testjoin Join is OK # wbinfo -i forest\\jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent passwd|grep jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent group|grep 100 FOREST\domain users:x:100: You can set the value msSFU30Gecos and winbind will report it, otherwise Display Name is used. In Members Of tab: In this tab you can choose a group from a list and there is a button you could set a Unix primary group by klicking. This will be read by winbind only. But this have no force to the primary group ID on the UNIX attribute tab. What do you say ? Did we configure something wrong ? Is this the normal function ? I needed to use the idmap config values: idmap domains = FOREST idmap config FOREST:readonly = yes idmap config FOREST:backend = ad idmap config FOREST:range = 0 - 2 idmap config FOREST:schema_mode = sfu idmap alloc backend = tdb idmap alloc config:range = 5-50999 and of course in nsswitch.conf: passwd: compat winbind group: compat winbind some people like to use files instead of compat, but that's about NIS semantics and doesn't matter to winbind. winbind separator = / winbind enum users = yes winbind enum groups = yes winbind cache time = 60 idmap backend = ad idmap uid = 6000-27000 idmap gid = 600-7000 template shell = /bin/bash template homedir = /home/%U winbind use default domain = yes winbind refresh tickets = yes allow trusted domains = yes winbind nss info = sfu template Should probably be winbind nss info = rfc2307 template FYI, you've specified
Re: [Samba] Re: ldapsearch and getent passd/group with nss winbind differs
Andreas Ladanyi wrote: Hay Jerry, Gerald (Jerry) Carter schrieb: Andreas Ladanyi wrote: Ok ! Could it be true this behavior is different between security=domain and security=ads ? Because we had to put the user to the group: - first on windows side in ActiveFirectory - second on unix site in AD in the tab Members of so winbind 3.0.24 client recognise the group membership on unix side in security=domain mode. Now we changed to Samba 3.0.31 with security=ads mode and the behavior is a bit different. You lost me here. Maybe due to the fact that I accustomed to the Windows 2003 R2 Unix Attribute tab. The only member of tab I see is to control the Windows group memberships. The reason of my message is a litte confusion: In general you are right ;-) Good thing too, because he's one of the primary samba developers =-O There is one UNIX attribute tab and one Members Of tab. During some tests we discover the following facts = In UNIX attribute tab: winbind is only interested in the UID field - in ldap tree the attribute uidnumber. If you're talking SFU, it doesn't use uidnumber. It uses attribute msSFU30UidNumber and displays UID on the Unix Attributes tab. I don't have a Windows 2003 R2 for comparison. Are you really using SFU (Services For Unix 3.0) or do you have the newer 2003 R2? The other attributes from UNIX attribute tab are written to ldap tree, but not used by winbind on linux side. For example we set the following parameter in smb.conf: winbind nss info = sfu Of course we could define our own template bash/home with the template home and template shell parameter, but its better the sfu will work, so we would configure this parameter by the tab. Winbind only uses this parameter when it creates a Unix account. Which shouldn't happen for your AD domain members if your AD is mapped correctly. The primary Group is written to the ldap tree but not used by winbind on the unix side. # net ads testjoin Join is OK # wbinfo -i forest\\jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent passwd|grep jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent group|grep 100 FOREST\domain users:x:100: You can set the value msSFU30Gecos and winbind will report it, otherwise Display Name is used. In Members Of tab: In this tab you can choose a group from a list and there is a button you could set a Unix primary group by klicking. This will be read by winbind only. But this have no force to the primary group ID on the UNIX attribute tab. What do you say ? Did we configure something wrong ? Is this the normal function ? I needed to use the idmap config values: idmap domains = FOREST idmap config FOREST:readonly = yes idmap config FOREST:backend = ad idmap config FOREST:range = 0 - 2 idmap config FOREST:schema_mode = sfu idmap alloc backend = tdb idmap alloc config:range = 5-50999 and of course in nsswitch.conf: passwd: compat winbind group: compat winbind some people like to use files instead of compat, but that's about NIS semantics and doesn't matter to winbind. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
There is one UNIX attribute tab and one Members Of tab. During some tests we discover the following facts = In UNIX attribute tab: winbind is only interested in the UID field - in ldap tree the attribute uidnumber. If you're talking SFU, it doesn't use uidnumber. It uses attribute msSFU30UidNumber and displays UID on the Unix Attributes tab. I don't have a Windows 2003 R2 for comparison. Are you really using SFU (Services For Unix 3.0) or do you have the newer 2003 R2? I use 2003 R2 and did install the Unix plugin for AD schemata extension from Windows component setup. The other attributes from UNIX attribute tab are written to ldap tree, but not used by winbind on linux side. For example we set the following parameter in smb.conf: winbind nss info = sfu Of course we could define our own template bash/home with the template home and template shell parameter, but its better the sfu will work, so we would configure this parameter by the tab. Winbind only uses this parameter when it creates a Unix account. Which shouldn't happen for your AD domain members if your AD is mapped correctly. winbind uses this parameter only if it creates a unix account ? In case if i create a unix account with adduser on terminal ? The mapping seems to be correctly if i have a look at getent passwd + getent group The primary Group is written to the ldap tree but not used by winbind on the unix side. I meant the primary Group text field from: UNIX attribute tab seems to be NOT used by winbind. The primary group which you can set: by clicking the button primary group in Members Of tab IS USED by winbind perfectly. Iam sorry if my explanation wasnt clear at my last posting. # net ads testjoin Join is OK # wbinfo -i forest\\jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent passwd|grep jdoe FOREST\jdoe:*:525:100:John Doe:/home/jdoe:/bin/bash # getent group|grep 100 FOREST\domain users:x:100: You can set the value msSFU30Gecos and winbind will report it, otherwise Display Name is used. In Members Of tab: In this tab you can choose a group from a list and there is a button you could set a Unix primary group by klicking. This will be read by winbind only. But this have no force to the primary group ID on the UNIX attribute tab. What do you say ? Did we configure something wrong ? Is this the normal function ? I needed to use the idmap config values: idmap domains = FOREST idmap config FOREST:readonly = yes idmap config FOREST:backend = ad idmap config FOREST:range = 0 - 2 idmap config FOREST:schema_mode = sfu idmap alloc backend = tdb idmap alloc config:range = 5-50999 and of course in nsswitch.conf: passwd: compat winbind group: compat winbind some people like to use files instead of compat, but that's about NIS semantics and doesn't matter to winbind. winbind separator = / winbind enum users = yes winbind enum groups = yes winbind cache time = 60 idmap backend = ad idmap uid = 6000-27000 idmap gid = 600-7000 template shell = /bin/bash template homedir = /home/%U winbind use default domain = yes winbind refresh tickets = yes allow trusted domains = yes winbind nss info = sfu template My nsswitch.conf is like yours. We want to use the compat mode because we hope we could exclude some users for login. This isnt possible to winbind ?! Alternatively i know pam_require. Do you know an opportunity to do this task ? Is there a part of documentation where the ldap attributes are shown which are used by winbind ? Or do i have to look up this at source code :-) Thanks a lot for your posting, Andy Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
Hay Jerry, Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: Ok ! Could it be true this behavior is different between security=domain and security=ads ? Because we had to put the user to the group: - first on windows side in ActiveFirectory - second on unix site in AD in the tab Members of so winbind 3.0.24 client recognise the group membership on unix side in security=domain mode. Now we changed to Samba 3.0.31 with security=ads mode and the behavior is a bit different. You lost me here. Maybe due to the fact that I accustomed to the Windows 2003 R2 Unix Attribute tab. The only member of tab I see is to control the Windows group memberships. The reason of my message is a litte confusion: In general you are right ;-) There is one UNIX attribute tab and one Members Of tab. During some tests we discover the following facts = In UNIX attribute tab: winbind is only interested in the UID field - in ldap tree the attribute uidnumber. The other attributes from UNIX attribute tab are written to ldap tree, but not used by winbind on linux side. For example we set the following parameter in smb.conf: winbind nss info = sfu Of course we could define our own template bash/home with the template home and template shell parameter, but its better the sfu will work, so we would configure this parameter by the tab. The primary Group is written to the ldap tree but not used by winbind on the unix side. In Members Of tab: In this tab you can choose a group from a list and there is a button you could set a Unix primary group by klicking. This will be read by winbind only. But this have no force to the primary group ID on the UNIX attribute tab. What do you say ? Did we configure something wrong ? Is this the normal function ? Thanks, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: ldapsearch and getent passd/group with nss winbind differs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: Ok ! Could it be true this behavior is different between security=domain and security=ads ? Because we had to put the user to the group: - first on windows side in ActiveFirectory - second on unix site in AD in the tab Members of so winbind 3.0.24 client recognise the group membership on unix side in security=domain mode. Now we changed to Samba 3.0.31 with security=ads mode and the behavior is a bit different. You lost me here. Maybe due to the fact that I accustomed to the Windows 2003 R2 Unix Attribute tab. The only member of tab I see is to control the Windows group memberships. If I understand you correctly, you want to define a different Unix group membership for the user rather than honoring the Windows group membership. Did I understand you correct? cheers, jerry - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIrYNGIR7qMdg1EfYRAqZ9AJ9rDnF+21K2ZcdTcGSZmm/xTnfZcQCfcTMv gTJRvQv/ziAJNDuSnjgZilE= =ph5v -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
Hi Jerry, Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: Hi, after deleting winbindd_idmap and winbindd_cache.tdb files: For security =domain AND security=ADS ! wbinfo -u /-g /-t are ok ! getent passwd is ok. getent group shows different group memberships as ldapsearch with filter msSFU30PosixMemberOf. Winbind honors the Windows group membership and not necessarily msSFU30PosixMemberOf attributes. So it should be enough if you give the Windows group a GID in tab UNIX attribute in Active Directory and you have to do nothing else for the Linux side ?! smb.conf - winbind: winbind separator = / winbind enum users = yes winbind enum groups = yes winbind cache time = 60 idmap backend = ad idmap uid = 6000-27000 idmap gid = 600-7000 template shell = /bin/bash template homedir = /home/%u winbind use default domain = yes winbind refresh tickets = yes winbind nss info = template sfu Any ideas ? Andy - -- = Samba--- http://www.samba.org Likewise Software - http://www.likewisesoftware.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIqyaeIR7qMdg1EfYRAgZWAKDRsC9qFFIIlIYZTgcrrt/+eZNiBQCcDNHE lxx+F3++8Y8maDRIxl3Xny8= =xmUQ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: ldapsearch and getent passd/group with nss winbind differs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: Winbind honors the Windows group membership and not necessarily msSFU30PosixMemberOf attributes. So it should be enough if you give the Windows group a GID in tab UNIX attribute in Active Directory and you have to do nothing else for the Linux side ?! Yup. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIrDOFIR7qMdg1EfYRAgsqAKDTH0QZ9CBi3qqulyrxowRJTPs0CwCgvTL/ kOzJhdCV11isitjqB1ch9jo= =zXud -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Ladanyi wrote: Winbind honors the Windows group membership and not necessarily msSFU30PosixMemberOf attributes. So it should be enough if you give the Windows group a GID in tab UNIX attribute in Active Directory and you have to do nothing else for the Linux side ?! Yup. Ok ! Could it be true this behavior is different between security=domain and security=ads ? Because we had to put the user to the group: - first on windows side in ActiveFirectory - second on unix site in AD in the tab Members of so winbind 3.0.24 client recognise the group membership on unix side in security=domain mode. Now we changed to Samba 3.0.31 with security=ads mode and the behavior is a bit different. ?? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
