Idmap config ad: Difference between revisions

From SambaWiki
m (Updated link)
m (/* added note about not giving Administrator a uidNumber attribute)
Line 46: Line 46:
:* Any users that you want to be visible on a Unix domain member must have a uidNumber attribute containing a unique number inside the range set in smb.conf
:* Any users that you want to be visible on a Unix domain member must have a uidNumber attribute containing a unique number inside the range set in smb.conf
::i.e. '10000-99999' as shown in the example below.
::i.e. '10000-99999' as shown in the example below.
:* Do not give 'Administrator' a uidNumber attribute, this will turn 'Administrator' into a normal Unix user.
* '''Groups have the gidNumber attribute set in AD''' (at least the users primary group, usually Domain Users)
* '''Groups have the gidNumber attribute set in AD''' (at least the users primary group, usually Domain Users)
:* You '''must''' set a gidNumber attribute on Domain Users, it must contain a number inside the range set in smb.conf.
:* You '''must''' set a gidNumber attribute on Domain Users, it must contain a number inside the range set in smb.conf.
Line 88: Line 89:
:* Any users that you want to be visible on a Unix domain member must have a uidNumber attribute containing a unique number inside the range set in smb.conf
:* Any users that you want to be visible on a Unix domain member must have a uidNumber attribute containing a unique number inside the range set in smb.conf
::i.e. '10000-99999' as shown in the example below.
::i.e. '10000-99999' as shown in the example below.
:* Do not give 'Administrator' a uidNumber attribute, this will turn 'Administrator' into a normal Unix user.
* '''Groups have the gidNumber attribute set in AD''' (at least the users primary group, usually Domain Users)
* '''Groups have the gidNumber attribute set in AD''' (at least the users primary group, usually Domain Users)
:* You '''must''' set a gidNumber attribute on Domain Users, it must contain a number inside the range set in smb.conf.
:* You '''must''' set a gidNumber attribute on Domain Users, it must contain a number inside the range set in smb.conf.

Revision as of 08:43, 24 November 2016

Introduction

The "idmap_ad" module implements a read-only API to retrieve information from Active Directory. It can be used in two ways:

  • winbind nss info = rfc2307
Retrieve individual settings for users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) from AD
  • Advantages:
  • Central administration of IDs inside Active Directory
  • Consistent IDs on all Domain Members that use idmap_ad
  • Fast setting of attributes: Groups only need a GID assigned, new users UID, NIS domain, login shell, home directory and primary group
  • Central management removes the necessity for local ID mappings that may lead to file ownership lose, if the local database corrupts.
  • Individual login shells and home directory paths for users
  • Login shell and home directory settings are the same on all Domain Members using idmap_ad with winbind nss info = rfc2307
  • Easy user/group management using Active Directory Users and Computers (ADUC), which is part of RSAT.
  • No manual counting of ID values is required to avoid duplicated if using ADUC
  • Disadvantages:
  • If not using ADUC, manual counting of ID values is required to avoid duplicates
  • RFC2307 values need to be set once in AD for each user/group


  • winbind nss info = template
Retrieve just UID and GID values from AD and set the values for login shell and home directory to a common setting for all users on that host
  • Advantages:
  • Central administration of IDs inside Active Directory
  • Consistent IDs on all Domain Members that use idmap_ad
  • Fast setting of attributes: Users/groups only need a UID/GID assigned in AD
  • Central management removes the necessity for local ID mappings that may lead to file ownership lose, if the local database corrupts
  • Disadvantages:
  • All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
  • Manual counting of ID values is required to avoid duplicates
  • UID/GID values need to be set once in AD for each user/group


For both configurations, RFC2307 is relevant. It describes the possibility to store e. g. user and group information in an LDAP directory to allow central administration with several advantages (see above).



winbind nss info = rfc2307

Prerequisites

  • RFC2307 enabled in each DCs smb.conf
  • Users have the uidNumber attribute set in AD
  • Any users that you want to be visible on a Unix domain member must have a uidNumber attribute containing a unique number inside the range set in smb.conf
i.e. '10000-99999' as shown in the example below.
  • Do not give 'Administrator' a uidNumber attribute, this will turn 'Administrator' into a normal Unix user.
  • Groups have the gidNumber attribute set in AD (at least the users primary group, usually Domain Users)
  • You must set a gidNumber attribute on Domain Users, it must contain a number inside the range set in smb.conf.
  • Optional: NIS extensions. Only required for ADUC, e. g. to track the last assigned uidNumber. If the ADUC console is not used, the NIS extensions are not required.


smb.conf settings

Add the following to the [global] section of your smb.conf:

[global]
       ...
       # Do not use these lines on a DC, they will do NOTHING!
                                                                    
       # Important: The ranges of the default (*) idmap config
       # and the domain(s) must not overlap!
                                                                        
       # Default idmap config used for BUILTIN and local windows accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       # idmap config for domain SAMDOM
       idmap config SAMDOM:backend = ad
       idmap config SAMDOM:schema_mode = rfc2307
       idmap config SAMDOM:range = 10000-99999

       # Use settings from AD for login shell and home directory
       winbind nss info = rfc2307

See the manpage of smb.conf and idmap_ad for information about the parameters and options used. The range of the domain idmap config defines the lowest to the highest UID/GID that will ever be used in this domain. If you have any higher or lower IDs, they won't be retrieved! Ask your AD Administrator if unsure which range to set.



winbind nss info = template

Prerequisites

  • Users have the uidNumber attribute set in AD
  • Any users that you want to be visible on a Unix domain member must have a uidNumber attribute containing a unique number inside the range set in smb.conf
i.e. '10000-99999' as shown in the example below.
  • Do not give 'Administrator' a uidNumber attribute, this will turn 'Administrator' into a normal Unix user.
  • Groups have the gidNumber attribute set in AD (at least the users primary group, usually Domain Users)
  • You must set a gidNumber attribute on Domain Users, it must contain a number inside the range set in smb.conf.


Additional information:

The uidNumber and gidNumber attributes are part of the Samba AD schema. There's no need to have the NIS extensions installed. Anyway there are a few things to mention:

  • IDs have to be incremented manually and it's the AD administrators responsibility to avoid duplicates or reusing IDs. User/groups having the same IDs as existing or alumni ones, will own and have access to the same files/directories!
  • You can't use the "UNIX attributes" tab in ADUC, if NIS extensions aren't installed. You need to assign the IDs using the attributes listing in the identically named tab of ADUC, using samba-tool during user creation or afterwards using ldbedit.


smb.conf settings

Add the following to the [global] section of your smb.conf:

[global]
       ...
       # Do not use these lines on a DC, they will do NOTHING!
                                                                      
       # Important: The ranges of the default (*) idmap config
       # and the domain(s) must not overlap!
                                                                                                                             
       # Default idmap config used for BUILTIN and local accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       # idmap config for domain SAMDOM
       idmap config SAMDOM:backend = ad
       idmap config SAMDOM:schema_mode = rfc2307
       idmap config SAMDOM:range = 10000-99999

       # Use template settings for login shell and home directory
       winbind nss info = template
       template shell = /sbin/nologin
       template homedir = /home/%U

See the manpage of smb.conf and idmap_ad for information about the parameters and options used. The range of the domain idmap config defines the lowest to the highest UID/GID that will ever be used in this domain. If you have any higher or lower IDs, they won't be retrieved! Ask your AD Administrator if unsure which range to set.



Using idmap_ad on a Samba DC

Skip this section if configuring idmap_ad on a Domain Member.

Since Samba 4.2, Winbindd is now used on a Samba Domain Controller, instead of the Winbind built into the "samba" binary. It was decided to stop the development of the built-in Winbind, because it doesn't had the same quality and feature set as Winbindd. Users running 4.0 or 4.1 should update to 4.2 or later to use Winbindd with idmap_ad.

If you upgrade your DC from an earlier version and have a "server services" line in your smb.conf, you need to replace the "winbind" entry with "winbindd":

[global]
       ...
       server services = ....., winbind, winbindd

If you haven’t got a "server services" line, no changes are required. The default value of the "server services" parameter is to enable Winbindd.

Winbindd is now automatically started as a child process by the "samba" binary on startup and should not be started manually!

# ps axf
...
2156 ?        Ss     0:00 /usr/local/samba/sbin//samba -D
...
2158 ?        S      0:00  \_ /usr/local/samba/sbin//samba -D
2172 ?        R      0:00      \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
...