Idmap config ad: Difference between revisions

From SambaWiki
m (Rephrased sentence to be more clear.)
m (/* Update for 4.6.0)
Line 60: Line 60:




= The <code>RFC2307</code> and <code>template</code> <code>winbind NSS info</code> Mode Options =
= The <code>RFC2307</code> and <code>template</code> Mode Options =

'''Before Samba version 4.6.0:'''



The <code>ad</code> ID mapping back end supports two modes, set in the <code>winbind nss info</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file:
The <code>ad</code> ID mapping back end supports two modes, set in the <code>winbind nss info</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file:
Line 74: Line 77:




'''From Samba version 4.6.0:'''


You no longer use the <code>winbind nss info</code> parameter, it has been replaced by <code>idmap config DOMAIN : unix_nss_info</code>

The <code>ad</code> ID mapping back end supports two modes, set in the <code>idmap config DOMAIN : unix_nss_info</code> parameter in the <code>[global]</code> section of the <code>smb.conf</code> file:

* <code>idmap config DOMAIN : unix_nss_info = yes</code>: All information is read from Active Directory (AD):
:* Users: Account name, UID, login shell, home directory path, and primary group.
:* Groups: Group name and GID.
;* These settings are set on a DOMAIN basis, this means you can have different settings for each DOMAIN.
:* If a user lacks the RFC2307 attributes, the login shell and home directory are automatically set by user-independent settings in the <code>smb.conf</code> file.

* <code>idmap config DOMAIN : unix_nss_info = no</code>: Only the following values are read from AD:
:* Users: Account name, UID, and primary group.
:: The login shell and home directory are automatically set by user-independent settings in the <code>smb.conf</code> file.
:* Groups: Group name and GID
:* This is the default setting.


There is now a new setting <code>unix_primary_group</code>, this allows you to use another group for the users primary group instead of Domain Users.
:* If this is set with <code>unix_primary_group = yes</code>, the users primary group is obtained from the gidNumber attribute found in the users AD object.
:* If this is set with <code>unix_primary_group = no</code>, the users primary group is calculated via the "primaryGroupID" attribute.
:* The default is 'no'




Line 105: Line 132:


# Template settings for login shell and home directory
# Template settings for login shell and home directory
winbind nss info = template
template shell = /bin/bash
template shell = /bin/bash
template homedir = /home/%U
template homedir = /home/%U


:: The settings are applied to all users in each domain that has the <code>schema_mode = rfc2307</code> parameter set. In Samba 4.6 and later, the global template settings can be overwritten on a domain-basis by enabling the <code>idmap config ''domain_name'':unix_nss_info</code> parameter.
:: The settings are applied to all users in each domain that has the <code>schema_mode = rfc2307</code> parameter set. From Samba 4.6.0, the global template settings can be overwritten on a domain-basis by enabling the <code>idmap config ''domain_name'':unix_nss_info</code> parameter.


:: Samba resolves the <code>%U</code> variable to the session user name. For details, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page.
:: Samba resolves the <code>%U</code> variable to the session user name. For details, see the <code>VARIABLE SUBSTITUTIONS</code> section in the <code>smb.conf(5)</code> man page.


:* To enable retriving shell and home directory from Active Directory (AD), set the following value in the <code>[global]</code> section in your <code>smb.conf</code> file:
:* To enable retrieving shell and home directory from Active Directory (AD), set the following value in the <code>[global]</code> section in your <code>smb.conf</code> file:
::* On Samba 4.6 and later, enable this feature on a per-domain basis:
::* From Samba 4.6.0, enable this feature on a per-domain basis:


idmap config SAMDOM:unix_nss_info = yes
idmap config SAMDOM:unix_nss_info = yes

Revision as of 08:55, 19 June 2017

Introduction

The ad ID mapping back end implements a read-only API to read account and group information from Active Directory (AD). The back end is based on RFC 2307. For further details, see https://www.rfc-editor.org/rfc/rfc2307.txt.

For alternatives, see Identity Mapping Back Ends.



Advantages and Disadvantages of the ad Back End

Advantages:

  • Central administration of IDs inside Active Directory (AD).
  • Consistent IDs on all Samba clients and servers using the ad back end.
  • The required attributes only need creating once, this can be done when the user or group is created
  • IDs are not stored in a local database that can corrupt and thus file ownerships are not lost.

Disadvantages:

  • If the Windows Active Directory Users and Computers (ADUC) program is not used, you have to manual track ID values to avoid duplicates.
  • The values for the RFC2307 attributes must be set manually.

Winbind NSS info mode-specific features:

  • rfc2307: Individual login shells and home directory paths for users.
  • template: The login shells and home directory base paths are the same for all users.



Planning the ID Ranges

Before configuring the ad back end in the smb.conf file, you must select unique ID ranges for each domain. The ranges must be continuous and big enough to enable Samba to assign an ID for every future user and group created in the domain.



Prerequisites

To enable Samba to retrieve user and group information from Active Directory (AD):

  • Users must have at least the uidNumber and groups the gidNumber attribute set. When using the rfc2307 winbind NSS info mode, user accounts must also have the loginShell, unixHomeDirectory and primaryGroupID set.
  • The user and group IDs must be within the range configured in the smb.conf for this domain.
  • If the Active Directory Users and Groups (ADUC) utility is used to assign the UNIX attributes, the NIS extensions have to be installed. For details, see Setting up RFC2307 in AD.
  • User IDs must be unique for all users and group IDs for all groups. Duplicate IDs or reusing IDs of previously deleted accounts enable the new user or group to access files created by the previous ID owner. When using the ADUC utility, the IDs are automatically tracked inside AD and incremented when creating a new user or group.



The RFC2307 and template Mode Options

Before Samba version 4.6.0:


The ad ID mapping back end supports two modes, set in the winbind nss info parameter in the [global] section of the smb.conf file:

  • winbind nss info = rfc2307: All information is read from Active Directory (AD):
  • Users: Account name, UID, login shell, home directory path, and primary group.
  • Groups: Group name and GID.
  • winbind nss info = template: Only the following values are read from AD:
  • Users: Account name, UID, and primary group.
The login shell and home directory are automatically set by user-independent settings in the smb.conf file.
  • Groups: Group name and GID


From Samba version 4.6.0:


You no longer use the winbind nss info parameter, it has been replaced by idmap config DOMAIN : unix_nss_info

The ad ID mapping back end supports two modes, set in the idmap config DOMAIN : unix_nss_info parameter in the [global] section of the smb.conf file:

  • idmap config DOMAIN : unix_nss_info = yes: All information is read from Active Directory (AD):
  • Users: Account name, UID, login shell, home directory path, and primary group.
  • Groups: Group name and GID.
  • These settings are set on a DOMAIN basis, this means you can have different settings for each DOMAIN.
  • If a user lacks the RFC2307 attributes, the login shell and home directory are automatically set by user-independent settings in the smb.conf file.
  • idmap config DOMAIN : unix_nss_info = no: Only the following values are read from AD:
  • Users: Account name, UID, and primary group.
The login shell and home directory are automatically set by user-independent settings in the smb.conf file.
  • Groups: Group name and GID
  • This is the default setting.


There is now a new setting unix_primary_group, this allows you to use another group for the users primary group instead of Domain Users.

  • If this is set with unix_primary_group = yes, the users primary group is obtained from the gidNumber attribute found in the users AD object.
  • If this is set with unix_primary_group = no, the users primary group is calculated via the "primaryGroupID" attribute.
  • The default is 'no'


Configuring the ad Back End

  • Set the following in the [global] section of your smb.conf file:
  • If no back end for local BUILTIN accounts and groups on the domain member is configured, add the tdb back end for the * default domain and set an ID range. For example:
# Default idmap config for local BUILTIN accounts and groups
idmap config * : backend = tdb
idmap config * : range = 3000-7999
Setting the default back end is mandatory.
  • To configure the ad back end using the 10000-999999 ID range for the SAMDOM domain:
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-999999
  • Configure the Winbind NSS info mode:
  • To enable the template mode and set, for example, /bin/bash as shell and /home/%U as home directory path:
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
The settings are applied to all users in each domain that has the schema_mode = rfc2307 parameter set. From Samba 4.6.0, the global template settings can be overwritten on a domain-basis by enabling the idmap config domain_name:unix_nss_info parameter.
Samba resolves the %U variable to the session user name. For details, see the VARIABLE SUBSTITUTIONS section in the smb.conf(5) man page.
  • To enable retrieving shell and home directory from Active Directory (AD), set the following value in the [global] section in your smb.conf file:
  • From Samba 4.6.0, enable this feature on a per-domain basis:
idmap config SAMDOM:unix_nss_info = yes
  • on Samba 4.5 and previous, set this feature globally for all domains:
winbind nss info = rfc2307
  • Using the defaults, Samba sets the Windows primary group as primary group for mapped domain user entries on Unix. The Windows primary group is retrieved from the primaryGroupID attribute of each user entry and usually is set to the Domain Users group SID. If you are running Samba 4.6 or later, you can optionally configure Samba to use instead the primary group set in the gidNumber attribute in the users entry. For example, when using the Active Directory Users and Computers application, this attribute is displayed in the UNIX Attributes tab.
To use the group ID set in the gidNumber attribute as primary group for each user instead the Windows primary group set in primaryGroupID, enable the following parameter in the [global] section in your smb.conf file:
idmap config SAMDOM:unix_primary_group = yes
  • Reload Samba:
# smbcontrol all reload-config

For further details, see the smb.conf(5) and idmap_ad(5) man page.