Idmap config ad

Revision as of 17:43, 18 October 2015 by Hortimech (talk | contribs) (Prerequisites: grammar)

Introduction

The "idmap_ad" module implements an read-only API to retrieve information from Active Directory. It can be used in two ways:

  • winbind nss info = rfc2307
Retrieve individual settings for users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) from AD
  • Advantages:
  • Central administration of IDs inside Active Directory
  • Consistent IDs on all Domain Members that use idmap_ad
  • Fast setting of attributes: Groups only need a GID assigned, new users UID, NIS domain, login shell, home directory and primary group
  • Central management removes the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts.
  • Individual login shells and home directory paths for users
  • Login shell and home directory settings are the same on all Domain Members using idmap_ad with winbind nss info = rfc2307
  • Easy user/group management via Active Directory Users and Computers (ADUC), which is part of RSAT.
  • Disadvantages:
  • RFC2307 values need to be set once in AD for each user/group


  • winbind nss info = template
Retrieve just UID and GID values from AD and set the values for login shell and home directory to a common setting for all users on that host
  • Advantages:
  • Central administration of IDs inside Active Directory
  • Consistent IDs on all Domain Members that use idmap_ad
  • Fast setting of attributes: Users/groups only need a UID/GID assigned in AD
  • Central management removes the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts
  • Disadvantages:
  • All users have the same login shell (e. g. /bin/bash or /sbin/nologin) and home directory base path (e. g. /home/...)
  • Manual counting of ID values is required to avoid duplicates
  • UID/GID values need to be set once in AD for each user/group


For both configurations, RFC2307 is relevant. It describes the possibility to store e. g. user and group information in an LDAP directory to allow central administration with several advantages (see above).

winbind nss info = rfc2307

Prerequisites


smb.conf settings

Add the following to the [global] section of your smb.conf:

[global]
       ...
       # Important: The ranges of the default (*) idmap config
       # and the domain(s) must not overlap!

       # Default idmap config used for BUILTIN and local accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       # idmap config for domain SAMDOM
       idmap config SAMDOM:backend = ad
       idmap config SAMDOM:schema_mode = rfc2307
       idmap config SAMDOM:range = 10000-99999

       # Use template settings for login shell and home directory
       winbind nss info = rfc2307

See the manpage of smb.conf and idmap_ad for information about the parameters and options used. The range of the domain idmap config defines the lowest to the highest UID/GID that will ever be used in this domain. If you have any higher or lower IDs, they won't be retrieved! Ask your AD Administrator if unsure which range to set.

winbind nss info = template

Prerequisites

  • Users have the uidNumber attribute set in AD
  • Groups have the gidNumber attribute set in AD (at least needed for users primary group)


Additional information:

The uidNumber and gidNumber attributes are part of the Samba AD schema. There's no need to have the NIS extensions installed. Anyway there are a few things to mention:

  • IDs have to be incremented manually and it's the AD administrators responsibility to avoid duplicates or reusing IDs. User/groups having the same IDs as existing or alumni ones, will own and have access to the same files/directories!
  • You can't use the "UNIX attributes" tab in ADUC, if NIS extensions aren't installed. You need to assign the IDs via the attributes listing in the identically named tab of ADUC, via samba-tool during user creation or afterwards using ldbedit.

smb.conf settings

Add the following to the [global] section of your smb.conf:

[global]
       ...
       # Important: The ranges of the default (*) idmap config
       # and the domain(s) must not overlap!

       # Default idmap config used for BUILTIN and local accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 2000-9999

       # idmap config for domain SAMDOM
       idmap config SAMDOM:backend = ad
       idmap config SAMDOM:schema_mode = rfc2307
       idmap config SAMDOM:range = 10000-99999

       # Use template settings for login shell and home directory
       winbind nss info = template
       template shell = /sbin/nologin
       template homedir = /home/%U

See the manpage of smb.conf and idmap_ad for the used parameters and options. The range of the domain idmap config defines the lowest up to the highest UID/GID, that will ever be used in this domain. If you're having higher or lower IDs, nothing won't be retrieved! Ask your AD Administrator if unsure which range to set.



Using idmap_ad on a Samba DC

Skip this section if configuring idmap_ad on a Domain Member.

Since Samba 4.2, Winbindd is now used on a Samba Domain Controller, instead of the Winbind built into the "samba" binary. It was decited to stop the development of the built-in Winbind, because it doesn't had the same quality and feature set like Winbindd. Users running 4.0 or 4.1 should update to 4.2 or later to use Winbindd with idmap_ad or choose one of the alternatives: sssd or nslcd.

If you upgrade your DC from an earlier version and have a "server services" line in your smb.conf, you need to replace the "winbind" entry with "winbindd":

[global]
       ...
       server services = ....., winbind, winbindd

If you don't have a "server services" line, no changes are required. The default value of the "server services" parameter enables Winbindd by default.

Winbindd is now automatically started as a child process by the "samba" binary on startup and should not to be run manually!

# ps axf
...
2156 ?        Ss     0:00 /usr/local/samba/sbin//samba -D
...
2158 ?        S      0:00  \_ /usr/local/samba/sbin//samba -D
2172 ?        R      0:00      \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
...