Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Some Clarification?

1 view
Skip to first unread message

Stuart Sheldon

unread,
Apr 12, 2013, 11:50:04 AM4/12/13
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi All,

I've been playing with Samba 4.0.x in the lab for about a week or so,
and have figured out a reasonable portion of the required settings to
also use the AD server as a Unix server. I do have some additional
questions regarding scaling that I have not found the answers to. I'm
hoping you good folks can steer me in the right direction, or confirm my
ideas of how this whole AD Controller thing works...

I'm using winbind for Unix authentication via PAM, and have configured
NSS to use winbind for passwd and group enumeration. Took me quite a
while to figure out that users would need to auth into kerberos before
winbind would return info to NSS. Someone might want to update the wiki
on that... I do have some questions though regarding winbind and idmaps
in 4.0.5:

We currently deploy OpenLDAP as our core user management platform. This
has allowed us to avoid the need for winbind and the whole 3.x issue of
idmaps varying between our Linux systems. I've been trying to figure out
if the whole idmap sync issue is solved in 4.0.x? Can I just use the
default smb.conf generated settings for winbind and idmap and still have
consistent mappings between different hosts? If not, how can I
accomplish this in 4.0.x?

One other thing I noticed, was that when the Windows AD tools are used
to create a user and home directory, the permissions are a bit funky...
If a user logs into the system via ssh or at the console, then are
unable to create files in their home directory. I resolved this by
setting the ACLs in the home root to give the desired permissions when
the user first logs in via console or ssh, but if the directory is
created by the Windows GUI, it basically locks out writes for the user
in their own home directory in a shell. Is their any plan to correct
this in future releases?

That's it for now, I'm sure the answers will bring me back with more
questions.

Thanks to all who will respond...

Stu

Stuart Sheldon
ACT USA


- --
"Sometimes I lie awake at night and I ask, "Why me?", then a voice
answers "Nothing personal, your name just happened to come up."
-- Charles M. Schulz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRaCreAAoJEFKVLITDJSGSZ6cQAIrdUt/k47ZkKN1QWOi15I9n
+/WHVgeBxS77xcWT1AcHTuexYbfrpaNICE947CJkSqVokG1utoNdrX2VZNMC88QK
puvqGi2fo87IU8uxcUKGI9MD5+3fJzQ00JOMiSQQ4AuwCR+k6yAaCttdaVXY4Q1x
dY0ieYsuzzwrk/RpYMuMOLAhBTnXL6d4Eznlt+f43cxK3hD6LAjjMDLj6jabIHRc
BUk+6iUnSdNodMhC8VnuTtGif04J+W4POuONwQLCWfDm5RV2ohKnECjsicogOovB
eejxIa8QRYtDCzq7F95lntR8pk5TsamRuOvTw8luIHpoZ1txHJlhFRd72ecHdbnt
R5dHwk8W7UOkwIrQ663gI2OT8XFywSqNzMY2MEc3YyOeaWU3mC0qIWJakTxBdAHn
BMwV3rQijxCZvCAWDfUh8Bxw534fl9S1q2rxFK0AWB1tKr3ksy0GHQIu2zCQGD7E
ilfd8/wx4Ganq4jgCX+INui6DmF7by8y5LGF28Iaaf/t24SNESu5oX/GSMFfK2Sg
kB66J5GJbglBPw+aovI9yXClOP4CZNOI4n2xI2KpLRJ0b2X3lZZDmXExdgLFLWyp
RUFtBewgEb2it419qKSwbxFx1MU4OwlCbv7rez9fxr+r5Ii5WnAADwnSW/rYC97B
HwU0k6xly5I2+IH5x7aT
=1zJt
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Andrew Bartlett

unread,
Apr 13, 2013, 3:00:01 AM4/13/13
to
On Fri, 2013-04-12 at 08:40 -0700, Stuart Sheldon wrote:
> Hi All,
>
> I've been playing with Samba 4.0.x in the lab for about a week or so,
> and have figured out a reasonable portion of the required settings to
> also use the AD server as a Unix server. I do have some additional
> questions regarding scaling that I have not found the answers to. I'm
> hoping you good folks can steer me in the right direction, or confirm my
> ideas of how this whole AD Controller thing works...
>
> I'm using winbind for Unix authentication via PAM, and have configured
> NSS to use winbind for passwd and group enumeration. Took me quite a
> while to figure out that users would need to auth into kerberos before
> winbind would return info to NSS. Someone might want to update the wiki
> on that...

That doens't sound right. The user information can be obtained, but it
certainly is faster and more effective when we have the PAC cached.

> I do have some questions though regarding winbind and idmaps
> in 4.0.5:
>
> We currently deploy OpenLDAP as our core user management platform. This
> has allowed us to avoid the need for winbind and the whole 3.x issue of
> idmaps varying between our Linux systems. I've been trying to figure out
> if the whole idmap sync issue is solved in 4.0.x? Can I just use the
> default smb.conf generated settings for winbind and idmap and still have
> consistent mappings between different hosts? If not, how can I
> accomplish this in 4.0.x?

If you have an existing OpenLDAP system, and are using Samba 3.x, do you
have an existing Samba 3.x 'classic' domain?

If so, then the samba-tool domain classicupgrde command will import
those existing id mappings into our AD database, and set the smb.conf
option to use it.

You can then configure Samba winbind clients to also use that rfc2307
configuration, using idmap_ad.

You will need to set any uid/gid values you wish to be consistent across
your domain manually, as we do not have a distributed allocator for
those. Any values not set in the directory will be set in idmap.ldb on
each DC, and may differ between DCs (and potentially clients).

I hope this clarifies things for you, or gives you somewhere to sart
your research.

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org

Stuart Sheldon

unread,
Apr 13, 2013, 12:10:02 PM4/13/13
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Thanks for the response Andrew,

Using ad for my idmap sounds like what I'm looking for. I'm having
problems finding how I add the map ids to the AD manually for new users.
Could you direct me to some information regarding cli tools to do that?

Thanks Again,

Stu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRaYJtAAoJEFKVLITDJSGSvUYQAKa31VZ8geUwpaNRSyGKjz0a
BHWGh0FLs9+WGjBKxHeeRZ73riCDKgFEdy+P3jyfscJB0eHL96mJwLOi4/38DU4X
Ly/s8iH7k+AQJJ47xG5FKL2AzfowIjiiTGtLI6Tk5yXLIisJt/W3jNqPkQ9dRM6x
1iRBs93l6vwDZkROvoj7hFH46/J1Xkp6NrvtRILQo5mmZP9Su0gtV6MGGUNHnoYz
IUBsxkirq5BlvGFqZMr3NI2B4k885OO/sZHjHIlOw12k/XwFTL24TlkD1Klr7Z3w
sLGruw+4LSdRxaJcwkVNOsH9x2vdu9ZZNDuUvyuUJUqZeZMm/I9Yia5Yjwaqiw5P
l3mxWrsApsQxV8NLOH7eQ5E0tNl42lECTTTZYRcVTviLplJnogD4VMxuQwzHfFCN
jxF3gjv8kgFy09oCwewPI2o/1nH2nnebiIlnMI3oIdrju04fYCK+a5d3HW9fSFOm
hGgi1NBGI/jQTHGle1IQuknVJjRacA/mFF8aAL02xNH4ny+rZqbBrKt/7wKWQ8pd
r9TNGghK2qlpYwllzKnyhm0q11aJlR39xWCukRhSm6hA76I8OK8yoYlDz6mjDvsZ
mrSFc/15sGcL7h3ZJkUmEgEPqSMgs8ISxfSzSEeXVAfDFNH3LAFruPzmk8LxY+OC
b/G6TDC1j2DXGiJpfL+n
=cCyw
-----END PGP SIGNATURE-----

steve

unread,
Apr 13, 2013, 12:30:02 PM4/13/13
to
On 13/04/13 18:06, Stuart Sheldon wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Thanks for the response Andrew,
>
> Using ad for my idmap sounds like what I'm looking for. I'm having
> problems finding how I add the map ids to the AD manually for new users.
> Could you direct me to some information regarding cli tools to do that?
>
> Thanks Again,
>
> Stu
Hi
If you want to do it manually e.g. to add a domain user called steve2:

samba-tool user add steve2
(enter the passwords)

then edit the record:
ldbedit --url=/usr/local/samba/private/sam.ldb cn=steve2

You can use any editor:

ldbedit -e gedit --url=/usr/local/samba/private/sam.ldb cn=steve2

Here is a fully loaded domain user with the rfc2307 objects and
attributes added you need to forget about idmap altogether:) With this
lot, he's good for both Linux and windows clients.

# editing 1 records
# record 1
dn: CN=steve2,CN=Users,DC=hh3,DC=site
cn: steve2
instanceType: 4
whenCreated: 20130412075527.0Z
uSNCreated: 3737
name: steve2
objectGUID: 1fb4f5fe-11db-47da-a3d7-962717a81881
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-1555648365-2472922434-3126067274-1106
logonCount: 0
sAMAccountName: steve2
sAMAccountType: 805306368
userPrincipalName: ste...@hh3.siteHere is a fully loaded domain user
with thfor both Linux and windows clients. You can any editor:e rfc2307
objects and idmap attributes added. With this lot, he's good for both
Linux and windows clients.
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 130102269270000000
userAccountControl: 66048
accountExpires: 0
uidNumber: 3000034
gidNumber: 20513
unixHomeDirectory: /home/users/steve2
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
profilePath: \\hh16\profiles\steve2
homeDrive: Z:
homeDirectory: \\hh16\users\steve2
whenChanged: 20130412075530.0Z
uSNChanged: 3743
distinguishedName: CN=steve2,CN=Users,DC=hh3,DC=site

Note: you'll soon get bored adding all the extra stuff but it's easy to
write a script to automate it.

You need to tell Samba to use AD in the [global] section of smb.conf:
idmap_ldb:use rfc2307 = Yes

As a matter of interest, how do you plan on pulling the id info from the
database?
hth
Steve

Stuart Sheldon

unread,
Apr 13, 2013, 1:30:02 PM4/13/13
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Thanks Steve!

This is exactly what I'm looking for. As for my plan on pulling in the
user base? I'm not sure yet... I'm thinking of re-creating the Windows
users via samba-tool, now that I have a better grip on how the posix
entries work, maybe I'll try using ldapmodify to add the posix stuff.
I'll keep the list informed as I progress.

Thanks Again to all that work on this project, and all that help the
lowly users...

Stu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRaZVEAAoJEFKVLITDJSGSvpwP/jiBs8fpb65QHv4Msy3q+xI6
/var0IuHL3O/kWCknJJRNb66G71xWJGWs2QHTY+gI9eKc1c3XxGcQHu9nxbDA//Z
3W0bXx4fmmIBOXZgHcjA5wCffakkn9gWjnoH660ZasPYVtv9v8w7ArcmHoMmk1Lc
Hl8bH3ZIIhvNF85lcQuN7/CG5bA/Ha4HRTAzgib3kVgsu1iuvUg/uS03kY/NdsuB
2wsnMoA/qbseh5jEqKrwdiFW+3Oc+4bp3sLA3tCAFcGHAu0X4G3q+dV5V8JEgZy6
La1XL4dU0fOTJbSiHGNOrZN7x+4JsZ98f/uAUdjyxgZIYlEBwL9KuVuoKdLn8wu0
xZMVO25lsjO7jxC1AIz2Ojwh91NjDV+bZiBCfyHPXJ0iWrlfaWBJXot+rhCuUsTb
xa/iUq/+T64FWdRXtkUQyv4JLmduRqWivAVQuNW3tXcilrliLLQ8YxtXxkrOZNu7
hSlnK2yIabSCtGjV81VxzUc2SC4y4AtdmbinC8mUM7MJ0WtE648ACQXGyeLjAhw+
w+BZnIvj5TtxT5J+QfcJW7JySUyo9gfNQ9gucUQpPpJKIz9qaRd2MX/wcPitS1Y3
ZrI4VtiZEXaO54Jicpqf2mMVDMvC6mk7w+dU0nELW/6tyHoA4zcfNYK3lURDHF7G
Pzart45F4KaMmjvM5iMY
=4Vau
-----END PGP SIGNATURE-----

Andrew Bartlett

unread,
Apr 13, 2013, 8:30:02 PM4/13/13
to
On Sat, 2013-04-13 at 09:06 -0700, Stuart Sheldon wrote:
> Thanks for the response Andrew,
>
> Using ad for my idmap sounds like what I'm looking for. I'm having
> problems finding how I add the map ids to the AD manually for new users.
> Could you direct me to some information regarding cli tools to do that?

Just set the uidNumber and gidNumber values on the ldap record. Any
ldap client should be able to do that.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org


0 new messages