Idmap config ad: Difference between revisions
m (→smb.conf settings: grammar) |
(added computer attribute uidNumber to Prerequisites) |
||
(38 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
The |
The <code>ad</code> ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt. |
||
For alternatives, see [[Identity_Mapping_Back_Ends|Identity Mapping Back Ends]]. |
|||
* '''winbind nss info = rfc2307''' |
|||
:Retrieve individual settings for users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) from AD |
|||
:* <u>Advantages:</u> |
|||
::* Central administration of IDs inside Active Directory |
|||
::* Consistent IDs on all Domain Members that use idmap_ad |
|||
::* Fast setting of attributes: Groups only need a GID assigned, new users UID, NIS domain, login shell, home directory and primary group |
|||
::* Central management removes the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts. |
|||
::* Individual login shells and home directory paths for users |
|||
::* Login shell and home directory settings are the same on all Domain Members using idmap_ad with winbind nss info = rfc2307 |
|||
::* Easy [[Administer_Unix_Attributes_in_Active_Directory_via_RFC2307|user/group management via Active Directory Users and Computers (ADUC)]], which is part of [[Installing RSAT|RSAT]]. |
|||
:* <u>Disadvantages:</u> |
|||
::* RFC2307 values need to be set once in AD for each user/group |
|||
{{Imbox |
|||
| type = warning |
|||
| text = ID mapping back ends are not supported in the <code>smb.conf</code> file on a Samba Active Directory (AD) domain controller (DC).<br />For details, see [[Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File|Failure To Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File]]. |
|||
}} |
|||
* '''winbind nss info = template''' |
|||
:Retrieve just UID and GID values from AD and set the values for login shell and home directory to a common setting for all users on that host |
|||
:* <u>Advantages:</u> |
|||
::* Central administration of IDs inside Active Directory |
|||
::* Consistent IDs on all Domain Members that use idmap_ad |
|||
::* Fast setting of attributes: Users/groups only need a UID/GID assigned in AD |
|||
::* Central management removes the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts |
|||
:* <u>Disadvantages:</u> |
|||
::* All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...) |
|||
::* Manual counting of ID values is required to avoid duplicates |
|||
::* UID/GID values need to be set once in AD for each user/group |
|||
For both configurations, [https://www.rfc-editor.org/rfc/rfc2307.txt RFC2307] is relevant. It describes the possibility to store e. g. user and group information in an LDAP directory to allow central administration with several advantages (see above). |
|||
= winbind nss info = rfc2307 = |
|||
= Advantages and Disadvantages of the <code>ad</code> Back End = |
|||
== Prerequisites == |
|||
Advantages: |
|||
* [[Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory|NIS extensions]] installed in AD and [[Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers|RFC2307 enabled]] in each DCs smb.conf |
|||
* Central administration of IDs inside Active Directory (AD). |
|||
* [[Administer_Unix_Attributes_in_Active_Directory_via_RFC2307|Users and groups have RFC2307 attributes set]] in AD |
|||
* Consistent IDs on all Samba clients and servers using the <code>ad</code> back end. |
|||
* The required attributes only need creating once, this can be done when the user or group is created |
|||
* IDs are not stored in a local database that can corrupt and thus file ownerships are not lost. |
|||
Disadvantages: |
|||
* If the Windows <code>Active Directory Users and Computers</code> (ADUC) program is not used, you have to manual track ID values to avoid duplicates. |
|||
* The values for the RFC2307 attributes must be set manually. |
|||
Winbind NSS info mode-specific features: |
|||
* <code>rfc2307</code>: Individual login shells and home directory paths for users. |
|||
* <code>template</code>: The login shells and home directory base paths are the same for all users. |
|||
== smb.conf settings == |
|||
Add the following to the [global] section of your smb.conf: |
|||
[global] |
|||
... |
|||
# '''Important: The ranges of the default (*) idmap config''' |
|||
# '''and the domain(s) <u>must not</u> overlap!''' |
|||
# Default idmap config used for BUILTIN and local accounts/groups |
|||
idmap config *:backend = tdb |
|||
idmap config *:range = 2000-9999 |
|||
# idmap config for domain SAMDOM |
|||
idmap config SAMDOM:backend = ad |
|||
idmap config SAMDOM:schema_mode = rfc2307 |
|||
idmap config SAMDOM:range = 10000-99999 |
|||
# Use template settings for login shell and home directory |
|||
winbind nss info = rfc2307 |
|||
See the manpage of smb.conf and idmap_ad for information about the parameters and options used. The range of the domain idmap config defines the lowest to the highest UID/GID that will ever be used in this domain. If you have any higher or lower IDs, they won't be retrieved! Ask your AD Administrator if unsure which range to set. |
|||
= |
= Planning the ID Ranges = |
||
Before configuring the <code>ad</code> back end in the <code>smb.conf</code> file, you must select unique ID ranges for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain. |
|||
== Prerequisites == |
|||
{{Imbox |
|||
* Users have the uidNumber attribute set in AD |
|||
| type = important |
|||
* Groups have the gidNumber attribute set in AD (at least needed for users primary group) |
|||
| text = The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap. |
|||
}} |
|||
<u>Additional information:</u> |
|||
The uidNumber and gidNumber attributes are part of the Samba AD schema. There's no need to have the [[Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory|NIS extensions]] installed. Anyway there are a few things to mention: |
|||
* IDs have to be incremented manually and it's the AD administrators responsibility to avoid duplicates or reusing IDs. User/groups having the same IDs as existing or alumni ones, will own and have access to the same files/directories! |
|||
* You can't use the "UNIX attributes" tab in ADUC, if [[Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory|NIS extensions]] aren't installed. You need to assign the IDs via the attributes listing in the identically named tab of ADUC, via samba-tool during user creation or afterwards using ldbedit. |
|||
= Prerequisites = |
|||
== smb.conf settings == |
|||
To enable Samba to retrieve user and group information from Active Directory (AD): |
|||
Add the following to the [global] section of your smb.conf: |
|||
* Users must have at least the <code>uidNumber</code> and groups the <code>gidNumber</code> attribute set. When using the <code>rfc2307</code> <code>winbind NSS info</code> mode, user accounts must also have the <code>loginShell</code>, <code>unixHomeDirectory</code> and <code>primaryGroupID</code> set. |
|||
[global] |
|||
* Computers, or: 'machine network accounts', must have the <code>uidNumber</code> attribute set to access shares on samba domain members. |
|||
... |
|||
* The user, computer, and group IDs must be within the range configured in the <code>smb.conf</code> for this domain. |
|||
# '''Important: The ranges of the default (*) idmap config''' |
|||
* If the <code>Active Directory Users and Groups</code> [[Maintaining_Unix_Attributes_in_AD_using_ADUC | (ADUC) utility is used]] to assign the UNIX attributes, the NIS extensions have to be installed. For details, see [[Setting_up_RFC2307_in_AD|Setting up RFC2307 in AD]]. |
|||
# '''and the domain(s) <u>must not</u> overlap!''' |
|||
* User and computer IDs must be unique for all users and computers, and group IDs must be unique for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user, computer, or group to access files created by the other or previous ID owner. When using the ADUC utility, the user and group IDs are automatically tracked inside AD and incremented when creating a new user or group. |
|||
* Computer IDs (<code>uidNumber</code> attribute) are not automatically tracked inside AD and must be set manually in the ADUC Attribute Editor tab when a computer is joined to the domain. |
|||
# Default idmap config used for BUILTIN and local accounts/groups |
|||
idmap config *:backend = tdb |
|||
idmap config *:range = 2000-9999 |
|||
# idmap config for domain SAMDOM |
|||
idmap config SAMDOM:backend = ad |
|||
idmap config SAMDOM:schema_mode = rfc2307 |
|||
idmap config SAMDOM:range = 10000-99999 |
|||
# Use template settings for login shell and home directory |
|||
winbind nss info = template |
|||
template shell = /sbin/nologin |
|||
template homedir = /home/%U |
|||
= The <code>RFC2307</code> and <code>template</code> Mode Options = |
|||
See the manpage of smb.conf and idmap_ad for information about the parameters and options used. The range of the domain idmap config defines the lowest to the highest UID/GID that will ever be used in this domain. If you have any higher or lower IDs, they won't be retrieved! Ask your AD Administrator if unsure which range to set. |
|||
'''Before Samba version 4.6.0:''' |
|||
= Using idmap_ad on a Samba DC = |
|||
''Skip this section if configuring idmap_ad on a Domain Member.'' |
|||
The <code>ad</code> ID mapping back end supports two modes, set in the <code>winbind nss info</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file: |
|||
Since Samba 4.2, Winbindd is now used on a Samba Domain Controller, instead of the Winbind built into the "samba" binary. It was decited to stop the development of the built-in Winbind, because it doesn't had the same quality and feature set like Winbindd. Users running 4.0 or 4.1 should update to 4.2 or later to use Winbindd with idmap_ad or choose one of the alternatives: [[Sssd|sssd]] or [[Nslcd|nslcd]]. |
|||
* <code>winbind nss info = rfc2307</code>: All information is read from Active Directory (AD): |
|||
If you upgrade your DC from an earlier version and have a "server services" line in your smb.conf, you need to replace the "winbind" entry with "winbindd": |
|||
:* Users: Account name, UID, login shell, home directory path, and primary group. |
|||
:* Groups: Group name and GID. |
|||
* <code>winbind nss info = template</code>: Only the following values are read from AD: |
|||
[global] |
|||
:* Users: Account name, UID, and primary group. |
|||
... |
|||
:: The login shell and home directory are automatically set by user-independent settings in the <code>smb.conf</code> file. |
|||
server services = ....., <s>winbind,</s> winbindd |
|||
:* Groups: Group name and GID |
|||
If you don't have a "server services" line, no changes are required. The default value of the "server services" parameter enables Winbindd by default. |
|||
'''From Samba version 4.6.0:''' |
|||
Winbindd is now automatically started as a child process by the "samba" binary on startup and should not to be run manually! |
|||
# ps axf |
|||
You no longer use the <code>winbind nss info</code> parameter, it has been replaced by <code>idmap config DOMAIN : unix_nss_info</code> |
|||
... |
|||
2156 ? Ss 0:00 /usr/local/samba/sbin//samba -D |
|||
The <code>ad</code> ID mapping back end supports two modes, set in the <code>idmap config DOMAIN : unix_nss_info</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file: |
|||
... |
|||
2158 ? S 0:00 \_ /usr/local/samba/sbin//samba -D |
|||
* <code>idmap config DOMAIN : unix_nss_info = yes</code>: All information is read from Active Directory (AD): |
|||
2172 ? R 0:00 \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground |
|||
:* Users: Account name, UID, login shell, home directory path, and primary group. |
|||
... |
|||
:* Groups: Group name and GID. |
|||
;* These settings are set on a DOMAIN basis, this means you can have different settings for each DOMAIN. |
|||
:* If a user lacks the RFC2307 attributes, the login shell and home directory are automatically set by user-independent settings in the <code>smb.conf</code> file. |
|||
* <code>idmap config DOMAIN : unix_nss_info = no</code>: Only the following values are read from AD: |
|||
:* Users: Account name, UID, and primary group. |
|||
:: The login shell and home directory are automatically set by user-independent settings in the <code>smb.conf</code> file. |
|||
:* Groups: Group name and GID |
|||
:* This is the default setting. |
|||
There is now a new setting <code>unix_primary_group</code>, this allows you to use another group for the users primary group instead of Domain Users. |
|||
:* If this is set with <code>unix_primary_group = yes</code>, the users primary group is obtained from the gidNumber attribute found in the users AD object. |
|||
:* If this is set with <code>unix_primary_group = no</code>, the users primary group is calculated via the "primaryGroupID" attribute. |
|||
:* The default is 'no' |
|||
= Configuring the <code>ad</code> Back End = |
|||
* Set the following in the <code>[global]</code> section of your <code>smb.conf</code> file: |
|||
:* If no back end for local <code>BUILTIN</code> accounts and groups on the domain member is configured, add the <code>tdb</code> back end for the <code>*</code> default domain and set an ID range. For example: |
|||
# Default idmap config for local BUILTIN accounts and groups |
|||
idmap config * : backend = tdb |
|||
idmap config * : range = 3000-7999 |
|||
:: Setting the default back end is mandatory. |
|||
:* To configure the <code>ad</code> back end using the <code>10000-999999</code> ID range for the <code>SAMDOM</code> domain: |
|||
# idmap config for the SAMDOM domain |
|||
idmap config SAMDOM:backend = ad |
|||
idmap config SAMDOM:schema_mode = rfc2307 |
|||
idmap config SAMDOM:range = 10000-999999 |
|||
::{{Imbox |
|||
| type = important |
|||
| text = You must set the back end, schema mode, and range for every domain, except for the <code>*</code> default domain. The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap. |
|||
}} |
|||
* Configure the Winbind NSS info mode: |
|||
:* To enable the <code>template</code> mode and set, for example, <code>/bin/bash</code> as shell and <code>/home/%U</code> as home directory path: |
|||
# Template settings for login shell and home directory |
|||
template shell = /bin/bash |
|||
template homedir = /home/%U |
|||
:: The settings are applied to all users in each domain that has the <code>schema_mode = rfc2307</code> parameter set. From Samba 4.6.0, the global template settings can be overwritten on a domain-basis by enabling the <code>idmap config ''domain_name'':unix_nss_info</code> parameter. |
|||
:: Samba resolves the <code>%U</code> variable to the session user name. For details, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page. |
|||
:* To enable retrieving shell and home directory from Active Directory (AD), set the following value in the <code>[global]</code> section in your <code>smb.conf</code> file: |
|||
::* From Samba 4.6.0, enable this feature on a per-domain basis: |
|||
idmap config SAMDOM:unix_nss_info = yes |
|||
::* on Samba 4.5 and previous, set this feature globally for all domains: |
|||
winbind nss info = rfc2307 |
|||
* By default, Samba sets the Windows primary group as primary group for mapped domain user entries on Unix. The Windows primary group is retrieved from the <code>primaryGroupID</code> attribute of each user entry, this is usually set to the <code>Domain Users</code> group RID. This RID is then used to obtain the <code>gidNumber</code> attribute from the Windows primary group. |
|||
* If you are running Samba 4.6.0 or later, you can optionally configure Samba to use the primary group set in the <code>gidNumber</code> attribute in the users entry instead. For example, when using the <code>Active Directory Users and Computers</code> application, this attribute is displayed in the <code>UNIX Attributes</code> tab. To use the group ID set in the users <code>gidNumber</code> attribute as primary group for each user instead of the Windows primary group, enable the following parameter in the <code>[global]</code> section in your <code>smb.conf</code> file: |
|||
idmap config SAMDOM:unix_primary_group = yes |
|||
:{{Imbox |
|||
| type = important |
|||
| text = Whichever setting you use, the group (or groups) set as the users primary group must have the <code>gidNumber</code> attribute set. For example, if you only use the <code>Domain Users</code> group as the primary group for all accounts, then the <code>Domain Users</code> group must have a <code>gidNumber</code> attribute set. Winbind is unable to map accounts that use primary groups that do not have the <code>gidNumber</code> attribute set. |
|||
}} |
|||
* Reload Samba: |
|||
# smbcontrol all reload-config |
|||
For further details, see the <code>smb.conf(5)</code> and <code>idmap_ad(5)</code> man page. |
|||
---- |
|||
[[Category:Active Directory]] |
|||
[[Category:Domain Members]] |
Revision as of 00:39, 22 November 2017
Introduction
The ad
ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt.
For alternatives, see Identity Mapping Back Ends.
ID mapping back ends are not supported in the smb.conf file on a Samba Active Directory (AD) domain controller (DC).For details, see Failure To Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File. |
Advantages and Disadvantages of the ad
Back End
Advantages:
- Central administration of IDs inside Active Directory (AD).
- Consistent IDs on all Samba clients and servers using the
ad
back end. - The required attributes only need creating once, this can be done when the user or group is created
- IDs are not stored in a local database that can corrupt and thus file ownerships are not lost.
Disadvantages:
- If the Windows
Active Directory Users and Computers
(ADUC) program is not used, you have to manual track ID values to avoid duplicates. - The values for the RFC2307 attributes must be set manually.
Winbind NSS info mode-specific features:
rfc2307
: Individual login shells and home directory paths for users.template
: The login shells and home directory base paths are the same for all users.
Planning the ID Ranges
Before configuring the ad
back end in the smb.conf
file, you must select unique ID ranges for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.
The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap. |
Prerequisites
To enable Samba to retrieve user and group information from Active Directory (AD):
- Users must have at least the
uidNumber
and groups thegidNumber
attribute set. When using therfc2307
winbind NSS info
mode, user accounts must also have theloginShell
,unixHomeDirectory
andprimaryGroupID
set. - Computers, or: 'machine network accounts', must have the
uidNumber
attribute set to access shares on samba domain members. - The user, computer, and group IDs must be within the range configured in the
smb.conf
for this domain. - If the
Active Directory Users and Groups
(ADUC) utility is used to assign the UNIX attributes, the NIS extensions have to be installed. For details, see Setting up RFC2307 in AD. - User and computer IDs must be unique for all users and computers, and group IDs must be unique for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user, computer, or group to access files created by the other or previous ID owner. When using the ADUC utility, the user and group IDs are automatically tracked inside AD and incremented when creating a new user or group.
- Computer IDs (
uidNumber
attribute) are not automatically tracked inside AD and must be set manually in the ADUC Attribute Editor tab when a computer is joined to the domain.
The RFC2307
and template
Mode Options
Before Samba version 4.6.0:
The ad
ID mapping back end supports two modes, set in the winbind nss info
parameter in the [global]
section of the smb.conf
file:
winbind nss info = rfc2307
: All information is read from Active Directory (AD):
- Users: Account name, UID, login shell, home directory path, and primary group.
- Groups: Group name and GID.
winbind nss info = template
: Only the following values are read from AD:
- Users: Account name, UID, and primary group.
- The login shell and home directory are automatically set by user-independent settings in the
smb.conf
file.
- Groups: Group name and GID
From Samba version 4.6.0:
You no longer use the winbind nss info
parameter, it has been replaced by idmap config DOMAIN : unix_nss_info
The ad
ID mapping back end supports two modes, set in the idmap config DOMAIN : unix_nss_info
parameter in the [global]
section of the smb.conf
file:
idmap config DOMAIN : unix_nss_info = yes
: All information is read from Active Directory (AD):
- Users: Account name, UID, login shell, home directory path, and primary group.
- Groups: Group name and GID.
- These settings are set on a DOMAIN basis, this means you can have different settings for each DOMAIN.
- If a user lacks the RFC2307 attributes, the login shell and home directory are automatically set by user-independent settings in the
smb.conf
file.
idmap config DOMAIN : unix_nss_info = no
: Only the following values are read from AD:
- Users: Account name, UID, and primary group.
- The login shell and home directory are automatically set by user-independent settings in the
smb.conf
file.
- Groups: Group name and GID
- This is the default setting.
There is now a new setting unix_primary_group
, this allows you to use another group for the users primary group instead of Domain Users.
- If this is set with
unix_primary_group = yes
, the users primary group is obtained from the gidNumber attribute found in the users AD object. - If this is set with
unix_primary_group = no
, the users primary group is calculated via the "primaryGroupID" attribute. - The default is 'no'
- If this is set with
Configuring the ad
Back End
- Set the following in the
[global]
section of yoursmb.conf
file:
- If no back end for local
BUILTIN
accounts and groups on the domain member is configured, add thetdb
back end for the*
default domain and set an ID range. For example:
- If no back end for local
# Default idmap config for local BUILTIN accounts and groups idmap config * : backend = tdb idmap config * : range = 3000-7999
- Setting the default back end is mandatory.
- To configure the
ad
back end using the10000-999999
ID range for theSAMDOM
domain:
- To configure the
# idmap config for the SAMDOM domain idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-999999
You must set the back end, schema mode, and range for every domain, except for the *
default domain. The ID ranges of the*
default domain and all other domains configured in thesmb.conf
file must not overlap.
- Configure the Winbind NSS info mode:
- To enable the
template
mode and set, for example,/bin/bash
as shell and/home/%U
as home directory path:
- To enable the
# Template settings for login shell and home directory template shell = /bin/bash template homedir = /home/%U
- The settings are applied to all users in each domain that has the
schema_mode = rfc2307
parameter set. From Samba 4.6.0, the global template settings can be overwritten on a domain-basis by enabling theidmap config domain_name:unix_nss_info
parameter.
- The settings are applied to all users in each domain that has the
- Samba resolves the
%U
variable to the session user name. For details, see theVARIABLE SUBSTITUTIONS
section in thesmb.conf(5)
man page.
- Samba resolves the
- To enable retrieving shell and home directory from Active Directory (AD), set the following value in the
[global]
section in yoursmb.conf
file:
- From Samba 4.6.0, enable this feature on a per-domain basis:
- To enable retrieving shell and home directory from Active Directory (AD), set the following value in the
idmap config SAMDOM:unix_nss_info = yes
- on Samba 4.5 and previous, set this feature globally for all domains:
winbind nss info = rfc2307
- By default, Samba sets the Windows primary group as primary group for mapped domain user entries on Unix. The Windows primary group is retrieved from the
primaryGroupID
attribute of each user entry, this is usually set to theDomain Users
group RID. This RID is then used to obtain thegidNumber
attribute from the Windows primary group.
- If you are running Samba 4.6.0 or later, you can optionally configure Samba to use the primary group set in the
gidNumber
attribute in the users entry instead. For example, when using theActive Directory Users and Computers
application, this attribute is displayed in theUNIX Attributes
tab. To use the group ID set in the usersgidNumber
attribute as primary group for each user instead of the Windows primary group, enable the following parameter in the[global]
section in yoursmb.conf
file:
idmap config SAMDOM:unix_primary_group = yes
Whichever setting you use, the group (or groups) set as the users primary group must have the gidNumber
attribute set. For example, if you only use theDomain Users
group as the primary group for all accounts, then theDomain Users
group must have agidNumber
attribute set. Winbind is unable to map accounts that use primary groups that do not have thegidNumber
attribute set.
- Reload Samba:
# smbcontrol all reload-config
For further details, see the smb.conf(5)
and idmap_ad(5)
man page.