Idmap config ad: Difference between revisions
From SambaWiki
Mmuehlfeld (talk | contribs) m (Updates local range end) |
(/* grammar) |
||
| Line 3: | Line 3: | ||
The <code>ad</code> ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt. |
The <code>ad</code> ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt. |
||
Alternatives to the <code> |
Alternatives to the <code>ad</code> back end: |
||
* [[Idmap_config_rid|idmap config rid]] |
* [[Idmap_config_rid|idmap config rid]] |
||
* [[Idmap_config_autorid|idmap config autorid]] |
* [[Idmap_config_autorid|idmap config autorid]] |
||
| Line 16: | Line 16: | ||
* Central administration of IDs inside Active Directory (AD). |
* Central administration of IDs inside Active Directory (AD). |
||
* Consistent IDs on all Samba clients and servers using the <code>ad</code> back end. |
* Consistent IDs on all Samba clients and servers using the <code>ad</code> back end. |
||
* |
* The required attributes only need creating once, this can be done when the user or group is created |
||
* IDs are not stored in a local database that can corrupt and thus file ownerships are not lost. |
* IDs are not stored in a local database that can corrupt and thus file ownerships are not lost. |
||
Disadvantages: |
Disadvantages: |
||
* If |
* If the Windows <code>Active Directory Users and Computers</code> (ADUC) program is not used, you have to manual track ID values to avoid duplicates. |
||
* |
* The values for the RFC2307 attributes must be set manually. |
||
<code>winbind NSS info</code> mode-specific features: |
<code>winbind NSS info</code> mode-specific features: |
||
* <code>rfc2307</code>: Individual login shells and home directory paths for users. |
* <code>rfc2307</code>: Individual login shells and home directory paths for users. |
||
* <code>template</code>: |
* <code>template</code>: The login shells and home directory base paths are the same for all users. |
||
| Line 33: | Line 33: | ||
= Planning the ID Ranges = |
= Planning the ID Ranges = |
||
Before configuring the <code>ad</code> back end in the <code>smb.conf</code> file, select unique ID ranges |
Before configuring the <code>ad</code> back end in the <code>smb.conf</code> file, you must select unique ID ranges for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain. |
||
{{Imbox |
{{Imbox |
||
| Line 48: | Line 48: | ||
To enable Samba to retrieve user and group information from Active Directory (AD): |
To enable Samba to retrieve user and group information from Active Directory (AD): |
||
* Users must have at least the <code>uidNumber</code> and groups the <code>gidNumber</code> attribute set. When using the <code>rfc2307</code> <code>winbind NSS info</code> mode, user accounts must |
* Users must have at least the <code>uidNumber</code> and groups the <code>gidNumber</code> attribute set. When using the <code>rfc2307</code> <code>winbind NSS info</code> mode, user accounts must also have the <code>loginShell</code>, <code>unixHomeDirectory</code> and <code>primaryGroupID</code> set. |
||
* The user and group IDs must be within the range configured in the <code>smb.conf</code> for this domain. |
* The user and group IDs must be within the range configured in the <code>smb.conf</code> for this domain. |
||
* If the <code>Active Directory Users and Groups</code> (ADUC) utility is used to assign the UNIX attributes, the NIS extensions have to be installed. For details, see [[Setting_up_RFC2307_in_AD|Setting up RFC2307 in AD]]. |
* If the <code>Active Directory Users and Groups</code> (ADUC) utility is used to assign the UNIX attributes, the NIS extensions have to be installed. For details, see [[Setting_up_RFC2307_in_AD|Setting up RFC2307 in AD]]. |
||
* User IDs must be unique for all users and group IDs for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user or group to access files created by the previous ID owner. When using the ADUC utility, the IDs are automatically tracked inside AD and incremented when creating a new user or group. |
* User IDs must be unique for all users and group IDs for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user or group to access files created by the previous ID owner. When using the ADUC utility, the IDs are automatically tracked inside AD and incremented when creating a new user or group. |
||
* The primary user group of user accounts, |
* The primary user group of user accounts, normally the <code>Domain Users</code> group, must have a <code>gidNumber</code> attribute set. If the attribute is not set for the primary group, the users will not be visible on the machine having the <code>ad</code> ID mapping back end configured. |
||
| Line 62: | Line 62: | ||
The <code>ad</code> ID mapping back end supports two modes, set in the <code>winbind nss info</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file: |
The <code>ad</code> ID mapping back end supports two modes, set in the <code>winbind nss info</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file: |
||
* <code>winbind nss info = rfc2307</code>: All information |
* <code>winbind nss info = rfc2307</code>: All information is read from Active Directory (AD): |
||
:* Users: Account name, UID, login shell, home directory path, and primary group. |
:* Users: Account name, UID, login shell, home directory path, and primary group. |
||
:* Groups: Group name and GID. |
:* Groups: Group name and GID. |
||
| Line 68: | Line 68: | ||
* <code>winbind nss info = template</code>: Only the following values are read from AD: |
* <code>winbind nss info = template</code>: Only the following values are read from AD: |
||
:* Users: Account name, UID, and primary group. |
:* Users: Account name, UID, and primary group. |
||
:: The login shell and home directory |
:: The login shell and home directory are automatically set by user-independent settings in the <code>smb.conf</code> file. |
||
:* Groups: Group name and |
:* Groups: Group name and GID |
||
| Line 78: | Line 78: | ||
* Set the following in the <code>[global]</code> section of your <code>smb.conf</code> file: |
* Set the following in the <code>[global]</code> section of your <code>smb.conf</code> file: |
||
:* If no back end for local <code>BUILTIN</code> accounts and groups on the domain member is configured, add the <code>tdb</code> back end for <code>*</code> default domain and set an ID range. For example: |
:* If no back end for local <code>BUILTIN</code> accounts and groups on the domain member is configured, add the <code>tdb</code> back end for the <code>*</code> default domain and set an ID range. For example: |
||
# Default idmap config for local BUILTIN accounts and groups |
# Default idmap config for local BUILTIN accounts and groups |
||
| Line 95: | Line 95: | ||
::{{Imbox |
::{{Imbox |
||
| type = important |
| type = important |
||
| text = |
| text = You must set these parameters for each and every domain, except the <code>*</code> default domain. The ID ranges of the <code>*</code> default domain and all other domains configured in the <code>smb.conf</code> file must not overlap. |
||
}} |
}} |
||
| Line 107: | Line 107: | ||
template homedir = /home/%U |
template homedir = /home/%U |
||
:: The values |
:: The values will be applied to all users in all domains that have the <code>schema_mode = template</code> parameter set. Samba resolves the <code>%U</code> variable to the session user name. For details, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page. |
||
:* To enable the <code>rfc2307</code> mode, set: |
:* To enable the <code>rfc2307</code> mode, set: |
||
Revision as of 19:26, 7 December 2016
Introduction
The ad ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt.
Alternatives to the ad back end:
Advantages and Disadvantages of the ad Back End
Advantages:
- Central administration of IDs inside Active Directory (AD).
- Consistent IDs on all Samba clients and servers using the
adback end. - The required attributes only need creating once, this can be done when the user or group is created
- IDs are not stored in a local database that can corrupt and thus file ownerships are not lost.
Disadvantages:
- If the Windows
Active Directory Users and Computers(ADUC) program is not used, you have to manual track ID values to avoid duplicates. - The values for the RFC2307 attributes must be set manually.
winbind NSS info mode-specific features:
rfc2307: Individual login shells and home directory paths for users.template: The login shells and home directory base paths are the same for all users.
Planning the ID Ranges
Before configuring the ad back end in the smb.conf file, you must select unique ID ranges for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.
 | The ID ranges of the * default domain and all other domains configured in the smb.conf file must not overlap. |
Prerequisites
To enable Samba to retrieve user and group information from Active Directory (AD):
- Users must have at least the
uidNumberand groups thegidNumberattribute set. When using therfc2307winbind NSS infomode, user accounts must also have theloginShell,unixHomeDirectoryandprimaryGroupIDset. - The user and group IDs must be within the range configured in the
smb.conffor this domain. - If the
Active Directory Users and Groups(ADUC) utility is used to assign the UNIX attributes, the NIS extensions have to be installed. For details, see Setting up RFC2307 in AD. - User IDs must be unique for all users and group IDs for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user or group to access files created by the previous ID owner. When using the ADUC utility, the IDs are automatically tracked inside AD and incremented when creating a new user or group.
- The primary user group of user accounts, normally the
Domain Usersgroup, must have agidNumberattribute set. If the attribute is not set for the primary group, the users will not be visible on the machine having theadID mapping back end configured.
The RFC2307 and template winbind NSS info mode options
The ad ID mapping back end supports two modes, set in the winbind nss info parameter in the [global] section of the smb.conf file:
winbind nss info = rfc2307: All information is read from Active Directory (AD):
- Users: Account name, UID, login shell, home directory path, and primary group.
- Groups: Group name and GID.
winbind nss info = template: Only the following values are read from AD:
- Users: Account name, UID, and primary group.
- The login shell and home directory are automatically set by user-independent settings in the
smb.conffile.
- Groups: Group name and GID
Configuring the ad Back End
- Set the following in the
[global]section of yoursmb.conffile:
- If no back end for local
BUILTINaccounts and groups on the domain member is configured, add thetdbback end for the*default domain and set an ID range. For example:
- If no back end for local
# Default idmap config for local BUILTIN accounts and groups idmap config * : backend = tdb idmap config * : range = 3000-7999
- Setting the default back end is mandatory.
- To configure the
adback end using the10000-999999ID range for theSAMDOMdomain:
- To configure the
# idmap config for the SAMDOM domain idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-999999
You must set these parameters for each and every domain, except the *default domain. The ID ranges of the*default domain and all other domains configured in thesmb.conffile must not overlap.
- Configure the Winbind NSS info mode:
- To enable the
templatemode and set, for example,/bin/bashas shell and/home/%Uas home directory path:
- To enable the
# Template settings for login shell and home directory winbind nss info = template template shell = /bin/bash template homedir = /home/%U
- The values will be applied to all users in all domains that have the
schema_mode = templateparameter set. Samba resolves the%Uvariable to the session user name. For details, see theVARIABLE SUBSTITUTIONSsection in thesmb.conf(5)man page.
- The values will be applied to all users in all domains that have the
- To enable the
rfc2307mode, set:
- To enable the
winbind nss info = rfc2307
- Reload Samba:
# smbcontrol all reload-config
For further details, see the smb.conf(5) and idmap_ad(5) man page.
Using the ad Back End on a Samba AD Domain Controller
Samba 4.0 and 4.1 used a new Winbind implementation built into the samba command. However, this implementation never worked correctly. For this reason, Samba 4.2 enabled the winbindd utility to be used on domain controllers (DC).
 | If you run a Samba version prior 4.2, update to a supported version before using the ad back end on a Samba Active Directory (AD) DC. For details, see Updating Samba. |
To set up the ad ID mapping back end locally on a Samba AD DC, verify that you are not using the unsupported samba built-in Winbind implementation. If the server services parameter in your smb.conf file lists the option winbind, replace it with winbindd:
server services = ...,winbind,winbindd,...
If you do not have the server services parameter in your smb.conf file or it already lists the winbindd option, Samba automatically starts the winbindd service on Samba 4.2 and later when the samba service is started.
To verify that the winbindd service is started as a subprocess of the samba process, enter:
# ps axf ... 2156 ? Ss 0:00 /usr/local/samba/sbin/samba -D 2158 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 2172 ? R 0:00 \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ...
| Do not start the winbindd service manually on a Samba AD DC. |