Difference between revisions of "Idmap config ad"

(Rollback some of the wrong previous removales. The idmapping part is required for member servers. Also it is required to replace the server services entry on a DC, if users having this parameter.)
m (/* updared 'important' to 'warning')
 
(61 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
[https://www.rfc-editor.org/rfc/rfc2307.txt RFC2307] defines the possibility to store e. g. user and group information in an LDAP directory. This allows central administration with several [[#Advantages|advantages]].
+
The <code>ad</code> ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt.
  
RFC2307 attributes are usable by default in a Samba Active Directory. This documentation describes how to make account and group information available on [[Setup_a_Samba_AD_Member_Server|Member Servers]] and >= 4.2 DCs via [[Winbind|Winbindd]] using RFC2307.
+
For alternatives, see [[Identity_Mapping_Back_Ends|Identity Mapping Back Ends]].
  
Since Samba 4.2.0, Winbindd (as used on a member server) is now used by default on a Samba Domain Controller. Previous version were shipped with Winbind - an implementation that was dropped because it doesn't have the same quality and feature set of Winbindd. The Samba team advice is to only use Winbindd on 4.2.0 or later. If you're running 4.0 or 4.1, choose one of the alternatives [[Local_user_management_and_authentication/sssd|sssd]] or [[Local_user_management_and_authentication/nslcd|nslcd]].
+
{{Imbox
 +
| type = warning
 +
| text = ID mapping back ends are not supported in the <code>smb.conf</code> file on a Samba Active Directory (AD) domain controller (DC).<br />For details, see [[Updating_Samba#Failure_To_Access_Shares_on_Domain_Controllers_If_idmap_config_Parameters_Set_in_the_smb.conf_File|Failure To Access Shares on Domain Controllers If idmap config Parameters Set in the smb.conf File]].
 +
}}
  
 +
{{Imbox
 +
| type = warning
 +
| text = If you use the winbind 'ad' backend, you '''must''' add a gidNumber attribute to the <code>Domain Users</code> group in AD. You '''must''' also give any users, that you want to be visible to Unix, a uidNumber attribute. From Samba version 4.6.0 , you can also add a gidNumber attribute containing the gidNumber of a group and, providing smb.conf is set up correctly, this will be used as the users Unix primary group. All of these uidNumber & gidNumber attributes must contain numbers inside the range you set for the <code>DOMAIN</code> in the Unix domain members <code>smb.conf</code>.
 +
}}
  
  
  
  
= Advantages =
 
  
* Central administration of users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) directly in Active Directory.
+
= Advantages and Disadvantages of the <code>ad</code> Back End =
  
* Consistent user and group information accross multiple machines.
+
Advantages:
 +
* Central administration of IDs inside Active Directory (AD).
 +
* Consistent IDs on all Samba clients and servers using the <code>ad</code> back end.
 +
* The required attributes only need creating once, this can be done when the user or group is created
 +
* IDs are only cached locally, they are stored in the AD database on DC's. This means that if the local cache becomes corrupt the file ownerships are not lost.
  
* Individual settings for users (e. g. for Login Shell). Other mapping technologies typically use global template settings for all accounts on a host.
+
Disadvantages:
 +
* If the Windows <code>Active Directory Users and Computers</code> (ADUC) program is not used, you have to manual track ID values to avoid duplicates.
 +
* The values for the RFC2307 attributes must be set manually.
  
* Central management prevents the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts.
+
Winbind NSS info mode-specific features:
 +
* <code>rfc2307</code>: Individual login shells and home directory paths for users.
 +
* <code>template</code>: The login shells and home directory base paths are the same for all users.
  
* Easy user/group management via the default Microsoft tools (e. g. Active Directory Users and Computers), which are part of [[Installing_RSAT_on_Windows_for_AD_Management|RSAT]].
 
  
* If administered via ADUC and [[Using_RFC2307_on_a_Samba_DC|enabled NIS extensions]], there's no need for manual ID counting. E. g. the next free UID and GID is stored directly in Active Directory and will be incremented then creating a new user or group.
 
  
  
  
 +
= Planning the ID Ranges =
  
 +
Before configuring the <code>ad</code> back end in the <code>smb.conf</code> file, you must select unique ID ranges for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.
  
= General information about the Samba idmap_ad backend for Winbindd =
+
{{Imbox
 +
| type = important
 +
| text = The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap.
 +
}}
  
The idmap_ad plugin will ultimately provide a way for Winbindd to read id mappings from an AD server that uses RFC2307/SFU schema extensions. This module implements only the "idmap" API, and is read-only. Mappings must be provided in advance by the administrator by adding the uidNumber attributes for users and gidNumber attributes for groups in the AD. Winbindd will only map users that have a uidNumber and whose primary group have a gidNumber attribute set. It is however recommended that all groups in use have gidNumber attributes assigned, otherwise they will not work.
 
  
See the manpage of idmap_ad for further information.
 
  
  
  
 +
= Prerequisites =
  
 +
To enable Samba to retrieve user and group information from Active Directory (AD):
  
= Using Winbindd on a Samba DC =
+
* Users must have, at least, the <code>uidNumber</code> attribute set. When using the <code>rfc2307</code> <code>winbind NSS info</code> mode, user accounts must also have the <code>loginShell</code> and <code>unixHomeDirectory</code> set.
 +
* Groups must have, at least, the <code>gidNumber</code> attribute set.
 +
* Computers, or: 'machine network accounts', must have the <code>uidNumber</code> attribute set to access shares on samba domain members.
 +
* The Users and Computers Primary Group must have a <code>gidNumber</code> attribute set.
 +
* The user, computer, and group IDs must be within the range configured in the <code>smb.conf</code> for this domain.
 +
* User and computer IDs must be unique for all users and computers, and group IDs must be unique for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user, computer, or group to access files created by the other or previous ID owner. When using the ADUC utility, the user and group IDs are automatically tracked inside AD and incremented when creating a new user or group.
 +
* Computer IDs (<code>uidNumber</code> attribute) are not automatically tracked inside AD and must be set manually in the ADUC Attribute Editor tab when a computer is joined to the domain.
  
On a DC, UID/GID resolving to user/groupnames on the OS side is optional. If you're fine with seeing UIDs/GIDs on your DC, instead of user/groupnames, no further action is required. However if you want to have user/groupnames displayed on 'ls', etc., you can choose to do it via Winbindd (see this section), [[Local_user_management_and_authentication/nslcd|nslcd]] or [[Local_user_management_and_authentication/sssd|sssd]].
+
{{Imbox
 +
| type = important
 +
| text = If the <code>Active Directory Users and Groups</code> [[Maintaining_Unix_Attributes_in_AD_using_ADUC | (ADUC) utility is used]] to assign the UNIX attributes, the NIS extensions have to be installed. For details, see [[Setting_up_RFC2307_in_AD|Setting up RFC2307 in AD]].
 +
}}
  
Since Samba 4.2.0, Winbindd is now used on a Samba Domain Controller, instead of the winbind built into the "samba" process. If you're having a "server services" line in your smb.conf on your DC, you need to replace the „winbind“ entry by „winbindd“:
 
  
[global]
 
  ...
 
  server services = ....., <s>winbind,</s> <u>winbindd</u>
 
  
Users not having a „server services“ line, don't need any changes. Winbindd is then enabled per default for the "server services" parameter.
 
  
Winbindd is now automatically started by the "samba" process on startup as a child process and should not to be run manually!
 
  
Additionally the steps described in [[#Configuring_RFC2307_backend_for_Winbindd|Configuring RFC2307 for Winbindd]] are required.
+
= The <code>RFC2307</code> and <code>template</code> Mode Options =
  
 +
'''Before Samba version 4.6.0:'''
  
  
 +
The <code>ad</code> ID mapping back end supports two modes, set in the <code>winbind nss info</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file:
  
 +
* <code>winbind nss info = rfc2307</code>: All information is read from Active Directory (AD):
 +
:* Users: Account name, UID, login shell, home directory path, and primary group.
 +
:* Groups: Group name and GID.
  
= Configuring RFC2307 backend for Winbindd on a Member Server =
+
* <code>winbind nss info = template</code>: Only the following values are read from AD:
 +
:* Users: Account name, UID, and primary group.
 +
:: The login shell and home directory are automatically set by user-independent settings in the <code>smb.conf</code> file.
 +
:* Groups: Group name and GID
  
Add the following to the [global] section of your smb.conf:
 
  
  # '''Important: The ranges of the default (*) backend'''
+
'''From Samba version 4.6.0:'''
  # '''and the domain(s) <u>must not</u> overlap!'''
+
 
 +
 
 +
You no longer use the <code>winbind nss info</code> parameter, it has been replaced by <code>idmap config DOMAIN : unix_nss_info</code>
 +
 
 +
The <code>ad</code> ID mapping back end supports two modes, set in the <code>idmap config DOMAIN : unix_nss_info</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file:
 +
 
 +
* <code>idmap config DOMAIN : unix_nss_info = yes</code>: All information is read from Active Directory (AD):
 +
:* Users: Account name, UID, login shell, home directory path, and primary group.
 +
:* Groups: Group name and GID.
 +
;* These settings are set on a DOMAIN basis, this means you can have different settings for each DOMAIN. 
 +
:* If a user lacks the RFC2307 attributes, the login shell and home directory are automatically set by user-independent settings in the <code>smb.conf</code> file.
 +
 
 +
* <code>idmap config DOMAIN : unix_nss_info = no</code>: Only the following values are read from AD:
 +
:* Users: Account name, UID, and primary group.
 +
:: The login shell and home directory are automatically set by user-independent settings in the <code>smb.conf</code> file.
 +
:* Groups: Group name and GID
 +
:* This is the default setting.
 +
 
 +
 
 +
There is now a new setting <code>unix_primary_group</code>, this allows you to use another group for the users primary group instead of Domain Users.
 +
:* If this is set with <code>unix_primary_group = yes</code>, the users primary group is obtained from the gidNumber attribute found in the users AD object.
 +
:* If this is set with <code>unix_primary_group = no</code>, the users primary group is calculated via the "primaryGroupID" attribute.
 +
:* The default is 'no'
 +
 
 +
 
 +
= Configuring the <code>ad</code> Back End =
 +
 
 +
'''Before Samba version 4.6.0:'''
 +
 
 +
* To configure the <code>ad</code> back end using the <code>10000-999999</code> ID range for the <code>SAMDOM</code> domain, set the following in the <code>[global]</code> section of your <code>smb.conf</code> file:
 +
 
 +
security = ADS
 +
workgroup = SAMDOM
 +
realm = SAMDOM.EXAMPLE.COM
 
   
 
   
  # Retrieve UIDs/GIDs for domain SAMDOM from AD, via RFC2307.
+
log file = /var/log/samba/%m.log
  # The range value defines the lowest RID up to the highest,
+
log level = 1
  # that will ever be used in this domain. Ask your AD Domain
 
  # Administrator, if you don't know which range to define.
 
  idmap config SAMDOM:backend = ad
 
  idmap config SAMDOM:schema_mode = rfc2307
 
  idmap config SAMDOM:range = 10000-40000
 
 
   
 
   
  # Store UIDs/GIDs for all other domains (including local
+
winbind nss info = rfc2307
  # accounts/groups of this server) in a tdb file
 
  idmap config *:backend = tdb
 
  idmap config *:range = 2000-9999
 
 
   
 
   
  # Use home directory and shell information from AD
+
# Default ID mapping configuration for local BUILTIN accounts
  winbind nss info = rfc2307
+
# and groups on a domain member. The default (*) domain:
 +
# - must not overlap with any domain ID mapping configuration!
 +
# - must use a read-write-enabled back end, such as tdb.
 +
idmap config * : backend = tdb
 +
idmap config * : range = 3000-7999
 +
# - You must set a DOMAIN backend configuration
 +
# idmap config for the SAMDOM domain
 +
idmap config SAMDOM:backend = ad
 +
idmap config SAMDOM:schema_mode = rfc2307
 +
idmap config SAMDOM:range = 10000-999999
 +
 +
vfs objects = acl_xattr
 +
map acl inherit = yes
 +
store dos attributes = yes
 +
 
 +
 
 +
'''From Samba version 4.6.0:'''
 +
 
 +
* To configure the <code>ad</code> back end using the <code>10000-999999</code> ID range for the <code>SAMDOM</code> domain, set the following in the <code>[global]</code> section of your <code>smb.conf</code> file:
 +
 
 +
security = ADS
 +
workgroup = SAMDOM
 +
realm = SAMDOM.EXAMPLE.COM
 +
 +
log file = /var/log/samba/%m.log
 +
log level = 1
 +
 +
# Default ID mapping configuration for local BUILTIN accounts
 +
# and groups on a domain member. The default (*) domain:
 +
# - must not overlap with any domain ID mapping configuration!
 +
# - must use a read-write-enabled back end, such as tdb.
 +
idmap config * : backend = tdb
 +
idmap config * : range = 3000-7999
 +
# - You must set a DOMAIN backend configuration
 +
# idmap config for the SAMDOM domain
 +
idmap config SAMDOM:backend = ad
 +
idmap config SAMDOM:schema_mode = rfc2307
 +
idmap config SAMDOM:range = 10000-999999
 +
idmap config SAMDOM:unix_nss_info = yes
 +
 +
vfs objects = acl_xattr
 +
map acl inherit = yes
 +
store dos attributes = yes
 +
 
 +
 
 +
{{Imbox
 +
| type = important
 +
| text = Setting the default back end is mandatory.
 +
}}
 +
 
 +
{{Imbox
 +
| type = important
 +
| text = You must set the range for every domain, including the <code>*</code> default domain. You must set the back end and schema mode for every domain, except the <code>*</code> default domain. The ID ranges of all domains configured in the smb.conf file must not overlap.
 +
}}
 +
 
 +
 
 +
* Configure the Winbind NSS info mode:
 +
 
 +
:* To enable the <code>template</code> mode and set, for example, <code>/bin/bash</code> as shell and <code>/home/%U</code> as home directory path:
 +
 
 +
# Template settings for login shell and home directory
 +
template shell = /bin/bash
 +
template homedir = /home/%U
 +
 
 +
:: The settings are applied to all users in each domain that has the <code>schema_mode = rfc2307</code> parameter set. From Samba 4.6.0, the global template settings can be overwritten on a domain-basis by enabling the <code>idmap config ''domain_name'':unix_nss_info</code> parameter.
 +
 
 +
:: Samba resolves the <code>%U</code> variable to the session user name. For details, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page.
 +
 
 +
* By default, Samba sets the Windows primary group as primary group for mapped domain user entries on Unix. The Windows primary group is retrieved from the <code>primaryGroupID</code> attribute of each user entry, this is usually set to the <code>Domain Users</code> group RID. This RID is then used to obtain the <code>gidNumber</code> attribute from the Windows primary group.
 +
 
 +
* If you are running Samba 4.6.0 or later, you can optionally configure Samba to use the primary group set in the <code>gidNumber</code> attribute in the users entry instead. For example, when using the <code>Active Directory Users and Computers</code> application, this attribute is displayed in the <code>UNIX Attributes</code> tab. To use the group ID set in the users <code>gidNumber</code> attribute as primary group for each user instead of the Windows primary group, enable the following parameter in the <code>[global]</code> section in your <code>smb.conf</code> file:
 +
 
 +
idmap config SAMDOM:unix_primary_group = yes
 +
 
 +
{{Imbox
 +
| type = important
 +
| text = Whichever setting you use, the group (or groups) set as the users primary group must have the <code>gidNumber</code> attribute set. For example, if you only use the <code>Domain Users</code> group as the primary group for all accounts, then the <code>Domain Users</code> group must have a <code>gidNumber</code> attribute set. Winbind is unable to map accounts that use primary groups that do not have the <code>gidNumber</code> attribute set.
 +
}}
 +
 
 +
{{Imbox
 +
| type = important
 +
| text = Whichever setting you use, do not change the users <code>primaryGroupID</code> attribute, Windows relies on all users being a member of <code>Domain Users</code>. If you require your Unix users to have a primary group other than <code>Domain Users</code>, you should use Samba version 4.6.0 or later.
 +
}}
 +
 
 +
* Reload Samba:
  
See the manpage of smb.conf for additional winbindd parameters and their meanings.
+
# smbcontrol all reload-config
  
 +
For further details, see the <code>smb.conf(5)</code> and <code>idmap_ad(5)</code> man page.
  
  
  
  
= Administering Unix Attributes in Active Directory =
 
  
See [[Using_RFC2307_on_a_Samba_DC#Administer_Unix_Attributes_in_Active_Directory|Administer_Unix_Attributes_in_Active_Directory]].
+
----
 +
[[Category:Active Directory]]
 +
[[Category:Domain Members]]

Latest revision as of 07:44, 28 June 2019

Introduction

The ad ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt.

For alternatives, see Identity Mapping Back Ends.



Advantages and Disadvantages of the ad Back End

Advantages:

  • Central administration of IDs inside Active Directory (AD).
  • Consistent IDs on all Samba clients and servers using the ad back end.
  • The required attributes only need creating once, this can be done when the user or group is created
  • IDs are only cached locally, they are stored in the AD database on DC's. This means that if the local cache becomes corrupt the file ownerships are not lost.

Disadvantages:

  • If the Windows Active Directory Users and Computers (ADUC) program is not used, you have to manual track ID values to avoid duplicates.
  • The values for the RFC2307 attributes must be set manually.

Winbind NSS info mode-specific features:

  • rfc2307: Individual login shells and home directory paths for users.
  • template: The login shells and home directory base paths are the same for all users.



Planning the ID Ranges

Before configuring the ad back end in the smb.conf file, you must select unique ID ranges for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.



Prerequisites

To enable Samba to retrieve user and group information from Active Directory (AD):

  • Users must have, at least, the uidNumber attribute set. When using the rfc2307 winbind NSS info mode, user accounts must also have the loginShell and unixHomeDirectory set.
  • Groups must have, at least, the gidNumber attribute set.
  • Computers, or: 'machine network accounts', must have the uidNumber attribute set to access shares on samba domain members.
  • The Users and Computers Primary Group must have a gidNumber attribute set.
  • The user, computer, and group IDs must be within the range configured in the smb.conf for this domain.
  • User and computer IDs must be unique for all users and computers, and group IDs must be unique for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user, computer, or group to access files created by the other or previous ID owner. When using the ADUC utility, the user and group IDs are automatically tracked inside AD and incremented when creating a new user or group.
  • Computer IDs (uidNumber attribute) are not automatically tracked inside AD and must be set manually in the ADUC Attribute Editor tab when a computer is joined to the domain.



The RFC2307 and template Mode Options

Before Samba version 4.6.0:


The ad ID mapping back end supports two modes, set in the winbind nss info parameter in the [global] section of the smb.conf file:

  • winbind nss info = rfc2307: All information is read from Active Directory (AD):
  • Users: Account name, UID, login shell, home directory path, and primary group.
  • Groups: Group name and GID.
  • winbind nss info = template: Only the following values are read from AD:
  • Users: Account name, UID, and primary group.
The login shell and home directory are automatically set by user-independent settings in the smb.conf file.
  • Groups: Group name and GID


From Samba version 4.6.0:


You no longer use the winbind nss info parameter, it has been replaced by idmap config DOMAIN : unix_nss_info

The ad ID mapping back end supports two modes, set in the idmap config DOMAIN : unix_nss_info parameter in the [global] section of the smb.conf file:

  • idmap config DOMAIN : unix_nss_info = yes: All information is read from Active Directory (AD):
  • Users: Account name, UID, login shell, home directory path, and primary group.
  • Groups: Group name and GID.
  • These settings are set on a DOMAIN basis, this means you can have different settings for each DOMAIN.
  • If a user lacks the RFC2307 attributes, the login shell and home directory are automatically set by user-independent settings in the smb.conf file.
  • idmap config DOMAIN : unix_nss_info = no: Only the following values are read from AD:
  • Users: Account name, UID, and primary group.
The login shell and home directory are automatically set by user-independent settings in the smb.conf file.
  • Groups: Group name and GID
  • This is the default setting.


There is now a new setting unix_primary_group, this allows you to use another group for the users primary group instead of Domain Users.

  • If this is set with unix_primary_group = yes, the users primary group is obtained from the gidNumber attribute found in the users AD object.
  • If this is set with unix_primary_group = no, the users primary group is calculated via the "primaryGroupID" attribute.
  • The default is 'no'


Configuring the ad Back End

Before Samba version 4.6.0:

  • To configure the ad back end using the 10000-999999 ID range for the SAMDOM domain, set the following in the [global] section of your smb.conf file:
security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM

log file = /var/log/samba/%m.log
log level = 1

winbind nss info = rfc2307

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-999999

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes


From Samba version 4.6.0:

  • To configure the ad back end using the 10000-999999 ID range for the SAMDOM domain, set the following in the [global] section of your smb.conf file:
security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM

log file = /var/log/samba/%m.log
log level = 1

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-999999
idmap config SAMDOM:unix_nss_info = yes

vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes



  • Configure the Winbind NSS info mode:
  • To enable the template mode and set, for example, /bin/bash as shell and /home/%U as home directory path:
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
The settings are applied to all users in each domain that has the schema_mode = rfc2307 parameter set. From Samba 4.6.0, the global template settings can be overwritten on a domain-basis by enabling the idmap config domain_name:unix_nss_info parameter.
Samba resolves the %U variable to the session user name. For details, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page.
  • By default, Samba sets the Windows primary group as primary group for mapped domain user entries on Unix. The Windows primary group is retrieved from the primaryGroupID attribute of each user entry, this is usually set to the Domain Users group RID. This RID is then used to obtain the gidNumber attribute from the Windows primary group.
  • If you are running Samba 4.6.0 or later, you can optionally configure Samba to use the primary group set in the gidNumber attribute in the users entry instead. For example, when using the Active Directory Users and Computers application, this attribute is displayed in the UNIX Attributes tab. To use the group ID set in the users gidNumber attribute as primary group for each user instead of the Windows primary group, enable the following parameter in the [global] section in your smb.conf file:
idmap config SAMDOM:unix_primary_group = yes
  • Reload Samba:
# smbcontrol all reload-config

For further details, see the smb.conf(5) and idmap_ad(5) man page.