Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] NIS to SAMBA4 Migration
91 views
Skip to first unread message
Steve van Maanen
Nov 23, 2012, 10:38:47 AM11/23/12
to
Hello everyone,
I am trying to figure out a way to migrate NIS maps to SAMBA4 (I want to replace NIS with SAMAB4 for a Linux domain. I have researched a fair bit on the web but have not found out any solutions and was hoping I could find some help here. What I have found so far pertains to Windows implementations of Active Directory.
Here are my questions.
1) Is it possible with a default install of SAMBA4 or do I need to extend the schema?
2) I notice there is a Unix attributes tab for users, when using Active Directory users and groups to administer the Samba4 AD, but I am unable to change the properties. Is there any way I can enable this?
3) Has anyone done this and if so, can you offer me some pointers?
Many thanks!
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I am trying to figure out a way to migrate NIS maps to SAMBA4 (I want to replace NIS with SAMAB4 for a Linux domain. I have researched a fair bit on the web but have not found out any solutions and was hoping I could find some help here. What I have found so far pertains to Windows implementations of Active Directory.
Here are my questions.
1) Is it possible with a default install of SAMBA4 or do I need to extend the schema?
2) I notice there is a Unix attributes tab for users, when using Active Directory users and groups to administer the Samba4 AD, but I am unable to change the properties. Is there any way I can enable this?
3) Has anyone done this and if so, can you offer me some pointers?
Many thanks!
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Thomas Simmons
Nov 23, 2012, 11:52:41 AM11/23/12
to
Hello Steve,
The only way I have found to enable those options is to provision with
"--use-rfc2307". We are performing an upgrade from Samba3 and I noticed
that the options were not grayed out after performing a classicupgrade, but
were grayed out after a "clean" provision. I finally figured out that the
classicupgrade always uses the "--use-rfc2307" flag. This flag will add the
option "idmap_ldb:use rfc2307 = yes" to your smb.conf, however, it has been
my experience that adding that to smb.conf post-provision does not enable
the UNIX Attributes options, so the provision option must do something
else. I would like to know if there is a way to enable this after the fact,
but I've not come up with anything yet. I need to complete further testing
on the actual authentication of Linux clients, Apache, RADIUS and OpenVPN,
but have run into a show-stopper with DNS replication and have moved all my
efforts to this for the time being. I was able to get Linux clients
authenticating via winbind, but this was before I found out about the
"--use-rfc2307" option and winbind was using auto-generated UIDs and GIDs.
Any notes you come up with would be greatly appreciated. Thanks, Thomas.
The only way I have found to enable those options is to provision with
"--use-rfc2307". We are performing an upgrade from Samba3 and I noticed
that the options were not grayed out after performing a classicupgrade, but
were grayed out after a "clean" provision. I finally figured out that the
classicupgrade always uses the "--use-rfc2307" flag. This flag will add the
option "idmap_ldb:use rfc2307 = yes" to your smb.conf, however, it has been
my experience that adding that to smb.conf post-provision does not enable
the UNIX Attributes options, so the provision option must do something
else. I would like to know if there is a way to enable this after the fact,
but I've not come up with anything yet. I need to complete further testing
on the actual authentication of Linux clients, Apache, RADIUS and OpenVPN,
but have run into a show-stopper with DNS replication and have moved all my
efforts to this for the time being. I was able to get Linux clients
authenticating via winbind, but this was before I found out about the
"--use-rfc2307" option and winbind was using auto-generated UIDs and GIDs.
Any notes you come up with would be greatly appreciated. Thanks, Thomas.
Bernd Markgraf
Nov 23, 2012, 12:39:55 PM11/23/12
to
Hi,
http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html has pretty detailed info on setting up S4 to serve posix user infomation as per rfc2307. back when I installed it I had to extend the schema maually to include rfc2307 attributes.
as for user management I largely use some scripts to generate ldifs to
set the needed attributes. never really used the windows tools.
though I think the according fields in the windows gui allowed the
attrbutes to be changed.
bernd
http://phaedrus77.blogspot.de/2010/04/samba4-ad-domain-controller-to-serve.html has pretty detailed info on setting up S4 to serve posix user infomation as per rfc2307. back when I installed it I had to extend the schema maually to include rfc2307 attributes.
as for user management I largely use some scripts to generate ldifs to
set the needed attributes. never really used the windows tools.
though I think the according fields in the windows gui allowed the
attrbutes to be changed.
bernd
Gémes Géza
Nov 24, 2012, 1:01:22 AM11/24/12
to
Hi,
thus allows you to set that attributes via ADUC.
To do the same after provision you would need to import the schema after
provision. The skeleton of it is in
/usr/local/samba/share/setup/ypServ30.ldif
on a default install.
Regards
Geza Gemes
> Hello Steve,
>
> The only way I have found to enable those options is to provision with
> "--use-rfc2307". We are performing an upgrade from Samba3 and I noticed
> that the options were not grayed out after performing a classicupgrade, but
> were grayed out after a "clean" provision. I finally figured out that the
> classicupgrade always uses the "--use-rfc2307" flag. This flag will add the
> option "idmap_ldb:use rfc2307 = yes" to your smb.conf, however, it has been
> my experience that adding that to smb.conf post-provision does not enable
> the UNIX Attributes options, so the provision option must do something
> else. I would like to know if there is a way to enable this after the fact,
> but I've not come up with anything yet. I need to complete further testing
> on the actual authentication of Linux clients, Apache, RADIUS and OpenVPN,
> but have run into a show-stopper with DNS replication and have moved all my
> efforts to this for the time being. I was able to get Linux clients
> authenticating via winbind, but this was before I found out about the
> "--use-rfc2307" option and winbind was using auto-generated UIDs and GIDs.
> Any notes you come up with would be greatly appreciated. Thanks, Thomas.
>
Provisioning with --use-rfc2307 also loads the "NIS" schema into AD and
>
> The only way I have found to enable those options is to provision with
> "--use-rfc2307". We are performing an upgrade from Samba3 and I noticed
> that the options were not grayed out after performing a classicupgrade, but
> were grayed out after a "clean" provision. I finally figured out that the
> classicupgrade always uses the "--use-rfc2307" flag. This flag will add the
> option "idmap_ldb:use rfc2307 = yes" to your smb.conf, however, it has been
> my experience that adding that to smb.conf post-provision does not enable
> the UNIX Attributes options, so the provision option must do something
> else. I would like to know if there is a way to enable this after the fact,
> but I've not come up with anything yet. I need to complete further testing
> on the actual authentication of Linux clients, Apache, RADIUS and OpenVPN,
> but have run into a show-stopper with DNS replication and have moved all my
> efforts to this for the time being. I was able to get Linux clients
> authenticating via winbind, but this was before I found out about the
> "--use-rfc2307" option and winbind was using auto-generated UIDs and GIDs.
> Any notes you come up with would be greatly appreciated. Thanks, Thomas.
>
thus allows you to set that attributes via ADUC.
To do the same after provision you would need to import the schema after
provision. The skeleton of it is in
/usr/local/samba/share/setup/ypServ30.ldif
on a default install.
Regards
Geza Gemes
> On Fri, Nov 23, 2012 at 10:38 AM, Steve van Maanen <st...@starsphere.jp>wrote:
>
>> Hello everyone,
>>
>> I am trying to figure out a way to migrate NIS maps to SAMBA4 (I want to
>> replace NIS with SAMAB4 for a Linux domain. I have researched a fair bit on
>> the web but have not found out any solutions and was hoping I could find
>> some help here. What I have found so far pertains to Windows
>> implementations of Active Directory.
>>
>> Here are my questions.
>>
>> 1) Is it possible with a default install of SAMBA4 or do I need to extend
>> the schema?
>> 2) I notice there is a Unix attributes tab for users, when using Active
>> Directory users and groups to administer the Samba4 AD, but I am unable to
>> change the properties. Is there any way I can enable this?
>> 3) Has anyone done this and if so, can you offer me some pointers?
>>
>> Many thanks!
>>
>> Steve
>
>> Hello everyone,
>>
>> I am trying to figure out a way to migrate NIS maps to SAMBA4 (I want to
>> replace NIS with SAMAB4 for a Linux domain. I have researched a fair bit on
>> the web but have not found out any solutions and was hoping I could find
>> some help here. What I have found so far pertains to Windows
>> implementations of Active Directory.
>>
>> Here are my questions.
>>
>> 1) Is it possible with a default install of SAMBA4 or do I need to extend
>> the schema?
>> 2) I notice there is a Unix attributes tab for users, when using Active
>> Directory users and groups to administer the Samba4 AD, but I am unable to
>> change the properties. Is there any way I can enable this?
>> 3) Has anyone done this and if so, can you offer me some pointers?
>>
>> Many thanks!
>>
>> Steve
Murray Fraser
Nov 24, 2012, 5:55:15 AM11/24/12
to
I am also struggling to find up to date information on using Samba 4 with
linux clients. I have managed to get the RFC 2307 fields by installing the
'NIS tools' feature on a W2k8 DC, and creating a 'NIS domain'. Previously I
could see the fields, but could not select a NIS domain in the ADUC tool to
make the RFC 2307 fields enabled.
I'm also trying to find out the correct way to add the autohome nis map. I
have tried:
ldbmodify -H /usr/local/samba/private/sam.ldb automount_template.ldif
--option="dsdb:schema update allowed"=true
But this seemed to fail. I have thought I might need to use the Microsoft
schema management tool to add the automount schema.
> provision. The skeleton of it is in /usr/local/samba/share/setup/**
>>> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
linux clients. I have managed to get the RFC 2307 fields by installing the
'NIS tools' feature on a W2k8 DC, and creating a 'NIS domain'. Previously I
could see the fields, but could not select a NIS domain in the ADUC tool to
make the RFC 2307 fields enabled.
I'm also trying to find out the correct way to add the autohome nis map. I
have tried:
ldbmodify -H /usr/local/samba/private/sam.ldb automount_template.ldif
--option="dsdb:schema update allowed"=true
But this seemed to fail. I have thought I might need to use the Microsoft
schema management tool to add the automount schema.
>>>
>>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>
> --
> To unsubscribe from this list go to the following URL and read the
Gémes Géza
Nov 25, 2012, 2:10:34 AM11/25/12
to
Hi,
using winbind (in nsswitch and pam) and kerberos (pam-krb5)
the relevant changes (to the default config are):
/etc/krb5.conf
proxiable = false
/etc/samba/smb.conf
workgroup = YOUR_WORKGROUP
realm = YOUR_REALM
kerberos method = system keytab
security = ads
winbind enum groups = yes
winbind enum users = yes
idmap config *:backend = tdb
idmap config *:range = 2000001-3000000
idmap config YOUR_WORKGROUP:default = yes
idmap config YOUR_WORKGROUP:backend = ad
idmap config YOUR_WORKGROUP:range = 0-2000000
idmap config YOUR_WORKGROUP:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
/etc/nsswitch.conf
passwd: files winbind
group: files winbind
pam-auth-update took care of pam configuration (I had to do only afs
homedirs related changes, irrelevant if you don't use afs)
winbind pulls correctly all the information for the users and group
which have been posixified.
However with the same config on debian squeeze or wheezy I receive only
a part of the group memberships, and other nastiness (e.g. getent group
and id for a group member give different results)
would suggest to use ldbmodify -H ldap://your-ad.server ....
Geza Gemes
> I am also struggling to find up to date information on using Samba 4 with
> linux clients. I have managed to get the RFC 2307 fields by installing the
> 'NIS tools' feature on a W2k8 DC, and creating a 'NIS domain'. Previously I
> could see the fields, but could not select a NIS domain in the ADUC tool to
> make the RFC 2307 fields enabled.
I was successful in using Samba4 AD with Ubuntu 12.04 (precise) clients
> linux clients. I have managed to get the RFC 2307 fields by installing the
> 'NIS tools' feature on a W2k8 DC, and creating a 'NIS domain'. Previously I
> could see the fields, but could not select a NIS domain in the ADUC tool to
> make the RFC 2307 fields enabled.
using winbind (in nsswitch and pam) and kerberos (pam-krb5)
the relevant changes (to the default config are):
/etc/krb5.conf
proxiable = false
/etc/samba/smb.conf
workgroup = YOUR_WORKGROUP
realm = YOUR_REALM
kerberos method = system keytab
security = ads
winbind enum groups = yes
winbind enum users = yes
idmap config *:backend = tdb
idmap config *:range = 2000001-3000000
idmap config YOUR_WORKGROUP:default = yes
idmap config YOUR_WORKGROUP:backend = ad
idmap config YOUR_WORKGROUP:range = 0-2000000
idmap config YOUR_WORKGROUP:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = yes
/etc/nsswitch.conf
passwd: files winbind
group: files winbind
pam-auth-update took care of pam configuration (I had to do only afs
homedirs related changes, irrelevant if you don't use afs)
winbind pulls correctly all the information for the users and group
which have been posixified.
However with the same config on debian squeeze or wheezy I receive only
a part of the group memberships, and other nastiness (e.g. getent group
and id for a group member give different results)
> I'm also trying to find out the correct way to add the autohome nis map. I
> have tried:
>
> ldbmodify -H /usr/local/samba/private/sam.ldb automount_template.ldif
You shouldn't modify the sam.ldb directly while samba is running instead
> have tried:
>
> ldbmodify -H /usr/local/samba/private/sam.ldb automount_template.ldif
would suggest to use ldbmodify -H ldap://your-ad.server ....
> --option="dsdb:schema update allowed"=true
>
> But this seemed to fail. I have thought I might need to use the Microsoft
> schema management tool to add the automount schema.
>
Regards
>
> But this seemed to fail. I have thought I might need to use the Microsoft
> schema management tool to add the automount schema.
>
Geza Gemes
0 new messages