Idmap config ad: Difference between revisions
From SambaWiki
Mmuehlfeld (talk | contribs) m (Mmuehlfeld moved page RFC2307 backend to Idmap config ad: Rename page for new wiki structure) |
Mmuehlfeld (talk | contribs) (Complete rewrite of the "idmap config ad" page. More and detailed information, restructured and cleaned up.) |
||
| Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
The "idmap_ad" module implements an read-only API to retrieve information from Active Directory. It can be used in two ways: |
|||
[https://www.rfc-editor.org/rfc/rfc2307.txt RFC2307] defines the possibility to store e. g. user and group information in an LDAP directory. This allows central administration with several [[#Advantages|advantages]]. |
|||
* '''winbind nss info = rfc2307''' |
|||
RFC2307 attributes are usable by default in a Samba Active Directory. This documentation describes how to make account and group information available on [[Setup_a_Samba_AD_Member_Server|Member Servers]] and >= 4.2.0 DCs via [[Winbind|Winbindd]] using RFC2307. |
|||
:Retrieve individual settings for users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) from AD |
|||
:* <u>Advantages:</u> |
|||
::* Central administration of IDs inside Active Directory |
|||
::* Consistend IDs on all Domain Members that use idmap_ad |
|||
::* Fast setting of attributes: Groups only need a GID assigned, new users UID, NIS domain, login shell, home directory and primary group |
|||
::* Central management prevents the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts. |
|||
::* Individual login shells and home directory pathes for users |
|||
::* Login shell and home directory settings are the same on all Domain Members using idmap_ad with winbind nss info = rfc2307 |
|||
::* Easy [[Administer_Unix_Attributes_in_Active_Directory_via_RFC2307|user/group management via Active Directory Users and Computers (ADUC)]], which is part of [[Installing RSAT|RSAT]]. |
|||
:* <u>Disadvantages:</u> |
|||
::* RFC2307 values need to be set once in AD for each user/group |
|||
Since Samba 4.2.0, Winbindd (as used on a member server) is now used by default on a Samba Domain Controller. Previous version were shipped with Winbind - an implementation that was dropped because it doesn't have the same quality and feature set of Winbindd. On Samba 4.2.0 or later, the Samba team advice is to only use Winbindd. If you're running 4.0 or 4.1, choose one of the alternatives [[Sssd|sssd]] or [[Nslcd|nslcd]]. |
|||
* '''winbind nss info = template''' |
|||
:Retrieve just UID and GID values from AD and set the values for login shell and home directory to a common setting for all users on that host |
|||
:* <u>Advantages:</u> |
|||
::* Central administration of IDs inside Active Directory |
|||
::* Consistend IDs on all Domain Members that use idmap_ad |
|||
::* Fast setting of attributes: Users/groups only need a UID/GID assigned in AD |
|||
::* Central management prevents the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts |
|||
:* <u>Disadvantages:</u> |
|||
::* All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...) |
|||
::* Manual counting of ID values is required to avoid duplicates |
|||
::* UID/GID values need to be set once in AD for each user/group |
|||
For both configurations, [https://www.rfc-editor.org/rfc/rfc2307.txt RFC2307] is relevant. It describes the possibility to store e. g. user and group information in an LDAP directory to allow central administration with several advantages (see above). |
|||
= Advantages = |
|||
* Central administration of users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) directly in Active Directory. |
|||
= winbind nss info = rfc2307 = |
|||
* Consistent user and group information accross multiple machines. |
|||
== Prerequisites == |
|||
* Individual settings for users (e. g. for Login Shell). Other mapping technologies typically use global template settings for all accounts on a host. |
|||
* [[Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory|NIS extensions]] installed in AD and [[Setting_up_RFC2307_in_AD#Check_if_RFC2307_is_used_by_your_Domain_Controllers|RFC2307 enabled]] in each DCs smb.conf |
|||
* Central management prevents the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts. |
|||
* [[Administer_Unix_Attributes_in_Active_Directory_via_RFC2307|Users and groups have RFC2307 attributes set]] in AD |
|||
* Easy user/group management via the default Microsoft tools (e. g. Active Directory Users and Computers), which are part of [[Installing RSAT|RSAT]]. |
|||
* If administered via ADUC and [[General_information_on_RFC2307|enabled NIS extensions]], there's no need for manual ID counting. E. g. the next free UID and GID is stored directly in Active Directory and will be incremented then creating a new user or group. |
|||
== smb.conf settings == |
|||
Add the following to the [global] section of your smb.conf: |
|||
[global] |
|||
... |
|||
# '''Important: The ranges of the default (*) idmap config''' |
|||
# '''and the domain(s) <u>must not</u> overlap!''' |
|||
# Default idmap config used for BUILTIN and local accounts/groups |
|||
idmap config *:backend = tdb |
|||
idmap config *:range = 2000-9999 |
|||
# idmap config for domain SAMDOM |
|||
idmap config SAMDOM:backend = ad |
|||
idmap config SAMDOM:schema_mode = rfc2307 |
|||
idmap config SAMDOM:range = 10000-99999 |
|||
# Use template settings for login shell and home directory |
|||
winbind nss info = rfc2307 |
|||
See the manpage of smb.conf and idmap_ad for the used parameters and options. The range of the domain idmap config defines the lowest up to the highest UID/GID, that will ever be used in this domain. If you're having higher or lower IDs, nothing won't be retrieved! Ask your AD Administrator if unsure which range to set. |
|||
= General information about the Samba idmap_ad backend for Winbindd = |
|||
The idmap_ad plugin will ultimately provide a way for Winbindd to read id mappings from an AD server that uses RFC2307/SFU schema extensions. This module implements only the "idmap" API, and is read-only. Mappings must be provided in advance by the administrator by adding the uidNumber attributes for users and gidNumber attributes for groups in the AD. Winbindd will only map users that have a uidNumber and whose primary group has a gidNumber attribute set. It is however recommended that all groups in use have a gidNumber attribute assigned, otherwise they will not work. |
|||
See the manpage of idmap_ad for further information. |
|||
= winbind nss info = template = |
|||
== Prerequisites == |
|||
* Users have the uidNumber attribute set in AD |
|||
* Groups have the gidNumber attribute set in AD (at least needed for users primary group) |
|||
= Using Winbindd on a Samba DC = |
|||
<u>Additional information:</u> |
|||
On a DC, UID/GID resolving to user/groupnames on the OS side is optional. If you're fine with seeing UIDs/GIDs on your DC, instead of user/groupnames, no further action is required. However if you want to have user/groupnames displayed on 'ls', etc., you can choose to do it via Winbindd (see this section), [[Nslcd|nslcd]] or [[Sssd|sssd]]. |
|||
The uidNumber and gidNumber attributes are part of the Samba AD schema. There's no need for having the [[Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory|NIS extensions]] installed. Anyway there are a few things to mention: |
|||
Since Samba 4.2.0, Winbindd is now used on a Samba Domain Controller, instead of the winbind built into the "samba" process. If you upgrade from an earlier version and have a "server services" line in the smb.conf on your DC, you need to replace the "winbind" entry with "winbindd": |
|||
* IDs have to be incremented manually and it's the AD administrators responsibility, to avoid duplicates or reusing IDs. User/groups having the same IDs like existing or alumni ones, will own and have access to the same files/directories! |
|||
[global] |
|||
* You can't use the "UNIX attributes" tab in ADUC, if [[Setting_up_RFC2307_in_AD#Check_if_NIS_Extensions_are_installed_in_your_Directory|NIS extensions]] aren't installed. You need to assign the IDs via the attributes listing in the identically named tab of ADUC, via samba-tool during user creation or afterwards using ldbedit. |
|||
... |
|||
server services = ....., <s>winbind,</s> <u>winbindd</u> |
|||
If you do not have a "server services" line, you don't need any changes. Winbindd is enabled by default for the "server services" parameter. |
|||
Winbindd is now automatically started by the "samba" process on startup as a child process and should not to be run manually! |
|||
== smb.conf settings == |
|||
= Configuring RFC2307 backend for Winbindd on a Member Server = |
|||
Add the following to the [global] section of your smb.conf: |
Add the following to the [global] section of your smb.conf: |
||
[global] |
|||
# '''Important: The ranges of the default (*) backend''' |
|||
... |
|||
# '''and the domain(s) <u>must not</u> overlap!''' |
|||
# '''Important: The ranges of the default (*) idmap config''' |
|||
# '''and the domain(s) <u>must not</u> overlap!''' |
|||
# '''Note: none of this will work yet on a DC! |
|||
# Default idmap config used for BUILTIN and local accounts/groups |
|||
# Retrieve UIDs/GIDs for domain SAMDOM from AD, via RFC2307. |
|||
idmap config *:backend = tdb |
|||
# The range value defines the lowest RID up to the highest, |
|||
idmap config *:range = 2000-9999 |
|||
# that will ever be used in this domain. Ask your AD Domain |
|||
# Administrator, if you don't know which range to define. |
|||
idmap config SAMDOM:backend = ad |
|||
idmap config SAMDOM:schema_mode = rfc2307 |
|||
idmap config SAMDOM:range = 10000-40000 |
|||
# idmap config for domain SAMDOM |
|||
# Store UIDs/GIDs for all other domains (including local |
|||
idmap config SAMDOM:backend = ad |
|||
# accounts/groups of this server) in a tdb file |
|||
idmap config |
idmap config SAMDOM:schema_mode = rfc2307 |
||
idmap config |
idmap config SAMDOM:range = 10000-99999 |
||
# Use |
# Use template settings for login shell and home directory |
||
winbind nss info = |
winbind nss info = template |
||
template shell = /sbin/nologin |
|||
template homedir = /home/%U |
|||
See the manpage of smb.conf and idmap_ad for the used parameters and options. The range of the domain idmap config defines the lowest up to the highest UID/GID, that will ever be used in this domain. If you're having higher or lower IDs, nothing won't be retrieved! Ask your AD Administrator if unsure which range to set. |
|||
See the manpage of smb.conf for additional winbindd parameters and their meanings. |
|||
| Line 88: | Line 117: | ||
= Using idmap_ad on a Samba DC = |
|||
= Administering Unix Attributes in Active Directory = |
|||
''Skip this section if configuring idmap_ad on a Domain Member.'' |
|||
Since Samba 4.2, Winbindd is now used on a Samba Domain Controller, instead of the Winbind built into the "samba" binary. It was decited to stop the development of the built-in Winbind, because it doesn't had the same quality and feature set like Winbindd. Users running 4.0 or 4.1 should update to 4.2 or later to use Winbindd with idmap_ad or choose one of the alternatives: [[Sssd|sssd]] or [[Nslcd|nslcd]]. |
|||
If you upgrade your DC from an earlier version and have a "server services" line in your smb.conf, you need to replace the "winbind" entry with "winbindd": |
|||
[global] |
|||
... |
|||
server services = ....., <s>winbind,</s> winbindd |
|||
If you don't have a "server services" line, no changes are required. The default value of the "server services" parameter enables Winbindd by default. |
|||
Winbindd is now automatically started as a child process by the "samba" binary on startup and should not to be run manually! |
|||
# ps axf |
|||
See [[Administer_Unix_Attributes_in_Active_Directory_via_RFC2307|Administer_Unix_Attributes_in_Active_Directory]]. |
|||
... |
|||
2156 ? Ss 0:00 /usr/local/samba/sbin//samba -D |
|||
... |
|||
2158 ? S 0:00 \_ /usr/local/samba/sbin//samba -D |
|||
2172 ? R 0:00 \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground |
|||
... |
|||
Revision as of 17:11, 18 October 2015
Introduction
The "idmap_ad" module implements an read-only API to retrieve information from Active Directory. It can be used in two ways:
- winbind nss info = rfc2307
- Retrieve individual settings for users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) from AD
- Advantages:
- Central administration of IDs inside Active Directory
- Consistend IDs on all Domain Members that use idmap_ad
- Fast setting of attributes: Groups only need a GID assigned, new users UID, NIS domain, login shell, home directory and primary group
- Central management prevents the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts.
- Individual login shells and home directory pathes for users
- Login shell and home directory settings are the same on all Domain Members using idmap_ad with winbind nss info = rfc2307
- Easy user/group management via Active Directory Users and Computers (ADUC), which is part of RSAT.
- Disadvantages:
- RFC2307 values need to be set once in AD for each user/group
- winbind nss info = template
- Retrieve just UID and GID values from AD and set the values for login shell and home directory to a common setting for all users on that host
- Advantages:
- Central administration of IDs inside Active Directory
- Consistend IDs on all Domain Members that use idmap_ad
- Fast setting of attributes: Users/groups only need a UID/GID assigned in AD
- Central management prevents the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts
- Disadvantages:
- All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
- Manual counting of ID values is required to avoid duplicates
- UID/GID values need to be set once in AD for each user/group
For both configurations, RFC2307 is relevant. It describes the possibility to store e. g. user and group information in an LDAP directory to allow central administration with several advantages (see above).
winbind nss info = rfc2307
Prerequisites
- NIS extensions installed in AD and RFC2307 enabled in each DCs smb.conf
- Users and groups have RFC2307 attributes set in AD
smb.conf settings
Add the following to the [global] section of your smb.conf:
[global]
...
# Important: The ranges of the default (*) idmap config
# and the domain(s) must not overlap!
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-99999
# Use template settings for login shell and home directory
winbind nss info = rfc2307
See the manpage of smb.conf and idmap_ad for the used parameters and options. The range of the domain idmap config defines the lowest up to the highest UID/GID, that will ever be used in this domain. If you're having higher or lower IDs, nothing won't be retrieved! Ask your AD Administrator if unsure which range to set.
winbind nss info = template
Prerequisites
- Users have the uidNumber attribute set in AD
- Groups have the gidNumber attribute set in AD (at least needed for users primary group)
Additional information:
The uidNumber and gidNumber attributes are part of the Samba AD schema. There's no need for having the NIS extensions installed. Anyway there are a few things to mention:
- IDs have to be incremented manually and it's the AD administrators responsibility, to avoid duplicates or reusing IDs. User/groups having the same IDs like existing or alumni ones, will own and have access to the same files/directories!
- You can't use the "UNIX attributes" tab in ADUC, if NIS extensions aren't installed. You need to assign the IDs via the attributes listing in the identically named tab of ADUC, via samba-tool during user creation or afterwards using ldbedit.
smb.conf settings
Add the following to the [global] section of your smb.conf:
[global]
...
# Important: The ranges of the default (*) idmap config
# and the domain(s) must not overlap!
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-99999
# Use template settings for login shell and home directory
winbind nss info = template
template shell = /sbin/nologin
template homedir = /home/%U
See the manpage of smb.conf and idmap_ad for the used parameters and options. The range of the domain idmap config defines the lowest up to the highest UID/GID, that will ever be used in this domain. If you're having higher or lower IDs, nothing won't be retrieved! Ask your AD Administrator if unsure which range to set.
Using idmap_ad on a Samba DC
Skip this section if configuring idmap_ad on a Domain Member.
Since Samba 4.2, Winbindd is now used on a Samba Domain Controller, instead of the Winbind built into the "samba" binary. It was decited to stop the development of the built-in Winbind, because it doesn't had the same quality and feature set like Winbindd. Users running 4.0 or 4.1 should update to 4.2 or later to use Winbindd with idmap_ad or choose one of the alternatives: sssd or nslcd.
If you upgrade your DC from an earlier version and have a "server services" line in your smb.conf, you need to replace the "winbind" entry with "winbindd":
[global]
...
server services = ....., winbind, winbindd
If you don't have a "server services" line, no changes are required. The default value of the "server services" parameter enables Winbindd by default.
Winbindd is now automatically started as a child process by the "samba" binary on startup and should not to be run manually!
# ps axf ... 2156 ? Ss 0:00 /usr/local/samba/sbin//samba -D ... 2158 ? S 0:00 \_ /usr/local/samba/sbin//samba -D 2172 ? R 0:00 \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ...