Setting up RFC2307 in AD: Difference between revisions
Mmuehlfeld (talk | contribs) (Removed some content on the "Using RFC2307" page, that was placed on separate pages) |
Mmuehlfeld (talk | contribs) m (Fix link) |
||
Line 55: | Line 55: | ||
* Restart Samba |
* Restart Samba |
||
As mentioned in [[#Advantages|Advantages]], login shell and homedir are not fetched even if rfc2307 is used. You may customize these by using the <tt>template shell</tt> and <tt>template login</tt> configuration options in <tt>smb.conf</tt>. Beware that [https://git.samba.org/?p=samba.git;a=commitdiff;h=57228317fc2339b83cccf4b1f3515d8a3b435a3c before samba 4.2], you have to use <tt>%ACCOUNTNAME%</tt> and <tt>%WORKGROUP%</tt> instead of <tt>%U</tt> and <tt>%D</tt> placeholders. |
As mentioned in [[General_information_on_RFC2307#Advantages|Advantages]], login shell and homedir are not fetched even if rfc2307 is used. You may customize these by using the <tt>template shell</tt> and <tt>template login</tt> configuration options in <tt>smb.conf</tt>. Beware that [https://git.samba.org/?p=samba.git;a=commitdiff;h=57228317fc2339b83cccf4b1f3515d8a3b435a3c before samba 4.2], you have to use <tt>%ACCOUNTNAME%</tt> and <tt>%WORKGROUP%</tt> instead of <tt>%U</tt> and <tt>%D</tt> placeholders. |
||
Revision as of 20:56, 25 August 2015
Server information used in this HowTo
Inside this HowTo, we will be using the following configuration/settings:
Netbios Name: DC1 LDAP Domain DN: DC=samdom,DC=example,DC=com DC Name: DC1.samdom.example.com Netbios/NIS Domain: samdom Installation Directory: /usr/local/samba/
Check if RFC2307 is used by your Domain Controllers
Check if your smb.conf on all your Domain Controllers contain the following parameter in the „[global]“ section:
idmap_ldb:use rfc2307 = yes
Check if NIS Extensions are installed in your Directory
Check if the „ypServ30“ container exists in your directory:
# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
Configuring RFC2307 and NIS Extensions in a Samba AD
During provisioning your first Domain Controller
- Provision your domain with the „--use-rfc2307“ parameter:
# samba-tool domain provision --use-rfc2307 .....
- This automatically enables RFC2307 and installs the NIS Extensions.
On additional joined Domain Controllers
This requires, that your existing Domain Controllers are already using RFC2307!
- Add the following to the „[global]“ section of your smb.conf, after you've joined the domain as a Domain Controller:
idmap_ldb:use rfc2307 = yes
- Restart Samba
As mentioned in Advantages, login shell and homedir are not fetched even if rfc2307 is used. You may customize these by using the template shell and template login configuration options in smb.conf. Beware that before samba 4.2, you have to use %ACCOUNTNAME% and %WORKGROUP% instead of %U and %D placeholders.
Extending the Schema for NIS Extensions
This procedure extends your directory schema. This will effect your complete Active Directory Forest! Make sure that you have a re-storable backup of your AD, in case anything fails or breaks your installation!
- If you have multiple Domain Controllers, locate the one owning the „Schema Master“ role in your forest:
# samba-tool fsmo show | grep SchemaMasterRole SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
- This indicates, that „DC1“ is currently Schema Master in your forest. Continue with the next steps on this host.
- Shutdown Samba.
- Create a copy of „ypServ30.ldif“:
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
- Replace the variables in the LDIF file (adapt the values to your environment!):
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \ -e 's/${NETBIOSNAME}/DC1/g' \ -e 's/${NISDOMAIN}/samdom/g' \ /tmp/ypServ30.ldif
- Import the schema:
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true Modified 55 records successfully
- Start Samba.
- The directory replication pushes the new schema automatically to all Domain Controllers inside your forest.