Idmap config ad
Introduction
The ad
ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt.
Alternatives to the rid
back end:
Advantages and Disadvantages of the ad
Back End
Advantages:
- Central administration of IDs inside Active Directory (AD).
- Consistent IDs on all Samba clients and servers using the
ad
back end. - Attributes need to be set only once when the user or group is created.
- IDs are not stored in a local database that can corrupt and thus file ownerships are not lost.
Disadvantages:
- If not using the Windows
Active Directory Users and Computers
(ADUC) program, you have to manual track ID values to avoid duplicates. - RFC2307 values must be set manually.
winbind NSS info
mode-specific features:
rfc2307
: Individual login shells and home directory paths for users.template
: Same login shells and home directory base paths for users.
Planning the ID Ranges
Before configuring the ad
back end in the smb.conf
file, select unique ID ranges Samba can use for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.
The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap. |
Prerequisites
To enable Samba to retrieve user and group information from Active Directory (AD):
- Users must have at least the
uidNumber
and groups thegidNumber
attribute set. When using therfc2307
winbind NSS info
mode, user accounts must have additionally theloginShell
,unixHomeDirectory
andprimaryGroupID
set. - The user and group IDs must be within the range configured in the
smb.conf
for this domain. - If the
Active Directory Users and Groups
(ADUC) utility is used to assign the UNIX attributes, the NIS extensions have to be installed. For details, see Setting up RFC2307 in AD. - User IDs must be unique for all users and group IDs for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user or group to access files created by the previous ID owner. When using the ADUC utility, the IDs are automatically tracked inside AD and incremented when creating a new user or group.
- The primary user group of user accounts, this is typically the
Domain Users
group, must have agidNumber
attribute set. If the attribute is not set for the primary group, the users are not visible on the machine having thead
ID mapping back end configured.
The RFC2307
and template
winbind NSS info mode
options
The ad
ID mapping back end supports two modes, set in the winbind nss info
parameter in the [global]
section of the smb.conf
file:
winbind nss info = rfc2307
: All information are read from Active Directory (AD):
- Users: Account name, UID, login shell, home directory path, and primary group.
- Groups: Group name and GID.
winbind nss info = template
: Only the following values are read from AD:
- Users: Account name, UID, and primary group.
- The login shell and home directory is automatically set by user-indepentend settings in the
smb.conf
file.
- Groups: Group name and GUID
Configuring the ad
Back End
- Set the following in the
[global]
section of yoursmb.conf
file:
- If no back end for local
BUILTIN
accounts and groups on the domain member is configured, add thetdb
back end for*
default domain and set an ID range. For example:
- If no back end for local
# Default idmap config for local BUILTIN accounts and groups idmap config * : backend = tdb idmap config * : range = 3000-7999
- Setting the default back end is mandatory.
- To configure the
ad
back end using the10000-999999
ID range for theSAMDOM
domain:
- To configure the
# idmap config for the SAMDOM domain idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-999999
For every domain, set these parameters individually. The ID ranges of the *
default domain and all other domains configured in thesmb.conf
file must not overlap.
- Configure the Winbind NSS info mode:
- To enable the
template
mode and set, for example,/bin/bash
as shell and/home/%U
as home directory path:
- To enable the
# Template settings for login shell and home directory winbind nss info = template template shell = /bin/bash template homedir = /home/%U
- The values are applied to all users in all domains having the
schema_mode = template
parameter set. Samba resolves the%U
variable to the session user name. For details, see theVARIABLE SUBSTITUTIONS
section in thesmb.conf(5)
man page.
- The values are applied to all users in all domains having the
- To enable the
rfc2307
mode, set:
- To enable the
winbind nss info = rfc2307
- Reload Samba:
# smbcontrol all reload-config
For further details, see the smb.conf(5)
and idmap_ad(5)
man page.
Using the ad
Back End on a Samba AD Domain Controller
Samba 4.0 and 4.1 used a new Winbind
implementation built into the samba
command. However, this implementation never worked correctly. For this reason, Samba 4.2 enabled the winbindd
utility to be used on domain controllers (DC).
If you run a Samba version prior 4.2, update to a supported version before using the ad back end on a Samba Active Directory (AD) DC. For details, see Updating Samba. |
To set up the ad
ID mapping back end locally on a Samba AD DC, verify that you are not using the unsupported samba
built-in Winbind
implementation. If the server services
parameter in your smb.conf
file lists the option winbind
, replace it with winbindd
:
server services = ...,winbind,winbindd,...
If you do not have the server services
parameter in your smb.conf
file or it already lists the winbindd
option, Samba automatically starts the winbindd
service on Samba 4.2 and later when the samba
service is started.
To verify that the winbindd
service is started as a subprocess of the samba
process, enter:
# ps axf ... 2156 ? Ss 0:00 /usr/local/samba/sbin/samba -D 2158 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 2172 ? R 0:00 \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ...
Do not start the winbindd service manually on a Samba AD DC. |