Idmap config ad: Difference between revisions
m (/* update link) |
Mmuehlfeld (talk | contribs) (Added information about using gidNumber instead of primaryGroupID as primary group for mapped accounts. (4.6 and later only). Moved "important" box from "Prerequisites" section to the procedure explaining the feature.) |
||
Line 56: | Line 56: | ||
* User IDs must be unique for all users and group IDs for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user or group to access files created by the previous ID owner. When using the ADUC utility, the IDs are automatically tracked inside AD and incremented when creating a new user or group. |
* User IDs must be unique for all users and group IDs for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user or group to access files created by the previous ID owner. When using the ADUC utility, the IDs are automatically tracked inside AD and incremented when creating a new user or group. |
||
⚫ | |||
⚫ | |||
| text = Users primary group, for example <code>Domain Users</code>, must have the <code>gidNumber</code> attribute set. Otherwise Winbind is not able to list domain users. |
|||
⚫ | |||
Line 118: | Line 114: | ||
winbind nss info = rfc2307 |
winbind nss info = rfc2307 |
||
* Using the defaults, Samba sets the Windows primary group as primary group for mapped domain user entries on Unix. The Windows primary group is retrieved from the <code>primaryGroupID</code> attribute of each user entry and usually is set to the <code>Domain Users</code> group SID. If you are running Samba 4.6 or later, you can optionally configure Samba to use instead the primary group set in the <code>gidNumber</code> attribute in the users entry. For example, when using the <code>Active Directory Users and Computers</code> application, this attribute is displayed in the <code>UNIX Attributes</code> tab. |
|||
:To use the group ID set in the <code>gidNumber</code> attribute as primary group for each user instead the Windows primary group set in <code>primaryGroupID</code>, enable the following parameter in the <code>[global]</code> section in your <code>smb.conf</code> file: |
|||
idmap config SAMDOM:unix_primary_group = yes |
|||
⚫ | |||
⚫ | |||
| text = Regardless of this setting, all groups that are used as primary groups must have the <code>gidNumber</code> attribute set. For example, if you only use the <code>Domain Users</code> group as primary group for all accounts, then only the <code>Domain Users</code> group must have a group ID set in the <code>gidNumber</code> attribute. Winbind is unable to map accounts that use primary groups not having the <code>gidNumber</code> attribute set. |
|||
⚫ | |||
* Reload Samba: |
* Reload Samba: |
Revision as of 14:02, 26 February 2017
Introduction
The ad
ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt.
For alternatives, see Identity Mapping Back Ends.
ID mapping back ends are not supported in the smb.conf file on a Samba Active Directory (AD) domain controller (DC).For details, see Failure To Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File. |
Advantages and Disadvantages of the ad
Back End
Advantages:
- Central administration of IDs inside Active Directory (AD).
- Consistent IDs on all Samba clients and servers using the
ad
back end. - The required attributes only need creating once, this can be done when the user or group is created
- IDs are not stored in a local database that can corrupt and thus file ownerships are not lost.
Disadvantages:
- If the Windows
Active Directory Users and Computers
(ADUC) program is not used, you have to manual track ID values to avoid duplicates. - The values for the RFC2307 attributes must be set manually.
Winbind NSS info mode-specific features:
rfc2307
: Individual login shells and home directory paths for users.template
: The login shells and home directory base paths are the same for all users.
Planning the ID Ranges
Before configuring the ad
back end in the smb.conf
file, you must select unique ID ranges for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.
The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap. |
Prerequisites
To enable Samba to retrieve user and group information from Active Directory (AD):
- Users must have at least the
uidNumber
and groups thegidNumber
attribute set. When using therfc2307
winbind NSS info
mode, user accounts must also have theloginShell
,unixHomeDirectory
andprimaryGroupID
set. - The user and group IDs must be within the range configured in the
smb.conf
for this domain. - If the
Active Directory Users and Groups
(ADUC) utility is used to assign the UNIX attributes, the NIS extensions have to be installed. For details, see Setting up RFC2307 in AD. - User IDs must be unique for all users and group IDs for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user or group to access files created by the previous ID owner. When using the ADUC utility, the IDs are automatically tracked inside AD and incremented when creating a new user or group.
The RFC2307
and template
winbind NSS info
Mode Options
The ad
ID mapping back end supports two modes, set in the winbind nss info
parameter in the [global]
section of the smb.conf
file:
winbind nss info = rfc2307
: All information is read from Active Directory (AD):
- Users: Account name, UID, login shell, home directory path, and primary group.
- Groups: Group name and GID.
winbind nss info = template
: Only the following values are read from AD:
- Users: Account name, UID, and primary group.
- The login shell and home directory are automatically set by user-independent settings in the
smb.conf
file.
- Groups: Group name and GID
Configuring the ad
Back End
- Set the following in the
[global]
section of yoursmb.conf
file:
- If no back end for local
BUILTIN
accounts and groups on the domain member is configured, add thetdb
back end for the*
default domain and set an ID range. For example:
- If no back end for local
# Default idmap config for local BUILTIN accounts and groups idmap config * : backend = tdb idmap config * : range = 3000-7999
- Setting the default back end is mandatory.
- To configure the
ad
back end using the10000-999999
ID range for theSAMDOM
domain:
- To configure the
# idmap config for the SAMDOM domain idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-999999
You must set these parameters for each and every domain, except the *
default domain. The ID ranges of the*
default domain and all other domains configured in thesmb.conf
file must not overlap.
- Configure the Winbind NSS info mode:
- To enable the
template
mode and set, for example,/bin/bash
as shell and/home/%U
as home directory path:
- To enable the
# Template settings for login shell and home directory winbind nss info = template template shell = /bin/bash template homedir = /home/%U
- The values will be applied to all users in all domains that have the
schema_mode = template
parameter set. Samba resolves the%U
variable to the session user name. For details, see theVARIABLE SUBSTITUTIONS
section in thesmb.conf(5)
man page.
- The values will be applied to all users in all domains that have the
- To enable the
rfc2307
mode, set:
- To enable the
winbind nss info = rfc2307
- Using the defaults, Samba sets the Windows primary group as primary group for mapped domain user entries on Unix. The Windows primary group is retrieved from the
primaryGroupID
attribute of each user entry and usually is set to theDomain Users
group SID. If you are running Samba 4.6 or later, you can optionally configure Samba to use instead the primary group set in thegidNumber
attribute in the users entry. For example, when using theActive Directory Users and Computers
application, this attribute is displayed in theUNIX Attributes
tab.
- To use the group ID set in the
gidNumber
attribute as primary group for each user instead the Windows primary group set inprimaryGroupID
, enable the following parameter in the[global]
section in yoursmb.conf
file:
idmap config SAMDOM:unix_primary_group = yes
Regardless of this setting, all groups that are used as primary groups must have the gidNumber
attribute set. For example, if you only use theDomain Users
group as primary group for all accounts, then only theDomain Users
group must have a group ID set in thegidNumber
attribute. Winbind is unable to map accounts that use primary groups not having thegidNumber
attribute set.
- Reload Samba:
# smbcontrol all reload-config
For further details, see the smb.conf(5)
and idmap_ad(5)
man page.