Setting up RFC2307 in AD: Difference between revisions

From SambaWiki
(RFC2307 settings on AD DCs are *not* recommended)
 
(8 intermediate revisions by 4 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


[https://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307] defines the possibility to store user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages:
The use of [https://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307] attributes allows the storage of Unix user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages:
* Central administration of IDs in AD.
* Central administration of IDs in AD.
* Consistent IDs on all Linux domain members that use the Samba <code>idmap_ad</code> ID map back end.
* Consistent IDs on all Linux domain members that use the Samba <code>idmap_ad</code> ID map back end.
* Fast configuration of attributes.
* Fast configuration of attributes.
* No local ID mapping databases that can corrupt and thus cause lossing file ownerships.
* No local ID mapping databases that can corrupt and lead to lose of file ownerships.
* Enable the administrator to set individual login shells and home directory paths for users.
* Enable the administrator to set individual login shells and home directory paths for users.
* Login shell and home directory settings are the same on all domain members using Samba <code>idmap_ad</code> ID map back end and <code>winbind nss info = rfc2307</code> parameter.
* Login shell and home directory settings are the same on all domain members using Samba <code>idmap_ad</code> ID map back end and <code>winbind nss info = rfc2307</code> parameter.
Line 14: Line 14:




== RFC2307 on AD Domain Controllers ==
= Verifying the Domain Controller and Active Directory Setup =


It is recommended to only have the sysvol and netlogon shares on an AD DC, so using RFC2307 id-mappings on the DC is not required. If you want to enable RFC2307 ID mappings on the DC for whatever reason e.g. you have other shares on the DC (not recommended) and are using the winbind 'ad' backend on Unix domain members, you need to ensure that the <code>idmap_ldb:use rfc2307</code> parameter exists in the <code>[global]</code> section of your <code>smb.conf</code> file on the Samba DC and is set to <code>yes</code> :
Run the following tests to verify if the RFC2307 integration is already enabled in your Active Directory (AD):


idmap_ldb:use rfc2307 = yes


{{Imbox
| type = note
| text = It is not recommended to use RFC2307 mappings on Samba AD DC's. The default idmap.ldb mechanism is fine for domain controllers and less error prone.
}}


== RFC2307 on AD Domain Controllers ==


On a AD DC there should not be more than the sysvol and netlogon share, so the usage of unified RFC2307 idmappings is not really important. If you want to enable RFC2307 ID mappings on the DC for whatever reason, the you would have to verify on the Samba DC, that the <code>idmap_ldb:use rfc2307</code> parameter exists and is set to <code>yes</code> in the <code>[global]</code> section of your <code>smb.conf</code> file:


idmap_ldb:use rfc2307 = yes

It is recommended not to use those mappings on the DCs. The default idmap ldb mechanism is fine for domain controllers and less error prone.




== Verifying That the NIS Extensions Are Installed in Active Directory ==
== Verifying That the NIS Extensions Are Installed in Active Directory ==


Verify that the <code>ypServ30</code> LDAP tree exists in your Active Directory (AD):
Verify if the <code>ypServ30</code> LDAP tree exists in your Active Directory (AD):

# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b \
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn

The output should be:


ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn
# record 1
# record 1
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
Line 42: Line 46:
# 0 referrals
# 0 referrals


If the <code>ldbsearch</code> command returns 1 record, the NIS Extensions are installed.
If the <code>ldbsearch</code> command returns 1 record, the NIS Extensions are installed and there is nothing else to do.


{{Imbox

| type = note

| text = The NIS Extensions are only required if you are going to use the ADUC Unix Attributes tabs to manage your users and groups.

}}

= Setting up RFC2307 and NIS Extensions in a Samba AD =


== Provisioning a New Samba Active Directory with RFC2307 Enabled ==
== Provisioning a New Samba Active Directory with RFC2307 Enabled ==
Line 62: Line 65:




== Enabling RFC2307 in an Existing Active Directory ==
== Installing the RFC2307 NIS Extensions after AD DC Provisioning ==

=== Enabling the RFC2307 Configuration Parameter ===

* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file:

idmap_ldb:use rfc2307 = yes

* Restart Samba.




Do not run this procedure until you have checked if it is required. For details, see [[#Verifying_That_the_NIS_Extensions_Are_Installed_in_Active_Directory|Verifying_That_the_NIS_Extensions_Are_Installed_in_Active_Directory]].
=== Installing the NIS Extensions ===


Do not run this procedure if you provisioned your Active Directory (AD) with the <code>--use-rfc2307</code> parameter. For details, see [[#Provisioning_a_New_Samba_Active_Directory_with_RFC2307_Enabled|Provisioning a New Samba Active Directory with RFC2307 Enabled]].


{{Imbox
{{Imbox
Line 103: Line 95:
:*${NISDOMAIN}: <code>samdom</code>
:*${NISDOMAIN}: <code>samdom</code>


# sed -i -e 's/${DOMAINDN}/<u>DC=samdom,DC=example,DC=com</u>/g' \
# sed -i -e 's/\${DOMAINDN}/<u>DC=samdom,DC=example,DC=com</u>/g' \
-e 's/${NETBIOSNAME}/<u>DC1</u>/g' \
-e 's/\${NETBIOSNAME}/<u>DC1</u>/g' \
-e 's/${NISDOMAIN}/<u>samdom</u>/g' \
-e 's/\${NISDOMAIN}/<u>samdom</u>/g' \
/tmp/ypServ30.ldif
/tmp/ypServ30.ldif



Latest revision as of 15:17, 26 November 2023

Introduction

The use of RFC 2307 attributes allows the storage of Unix user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages:

  • Central administration of IDs in AD.
  • Consistent IDs on all Linux domain members that use the Samba idmap_ad ID map back end.
  • Fast configuration of attributes.
  • No local ID mapping databases that can corrupt and lead to lose of file ownerships.
  • Enable the administrator to set individual login shells and home directory paths for users.
  • Login shell and home directory settings are the same on all domain members using Samba idmap_ad ID map back end and winbind nss info = rfc2307 parameter.
  • Easy management from Windows clients using the Active Directory Users and Computers (ADUC) Microsoft management console (MMC). For details, see Maintaining Unix Attributes in AD using ADUC.



RFC2307 on AD Domain Controllers

It is recommended to only have the sysvol and netlogon shares on an AD DC, so using RFC2307 id-mappings on the DC is not required. If you want to enable RFC2307 ID mappings on the DC for whatever reason e.g. you have other shares on the DC (not recommended) and are using the winbind 'ad' backend on Unix domain members, you need to ensure that the idmap_ldb:use rfc2307 parameter exists in the [global] section of your smb.conf file on the Samba DC and is set to yes :

 idmap_ldb:use rfc2307 = yes



Verifying That the NIS Extensions Are Installed in Active Directory

Verify if the ypServ30 LDAP tree exists in your Active Directory (AD):

# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b \
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn

The output should be:

# record 1
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
cn: ypservers

# returned 1 records
# 1 entries
# 0 referrals

If the ldbsearch command returns 1 record, the NIS Extensions are installed and there is nothing else to do.

Provisioning a New Samba Active Directory with RFC2307 Enabled

When you provision a new Samba AD forest, pass the --use-rfc2307 to the samba-tool domain provision command to auto-install the NIS extensions. For example:

# samba-tool domain provision --use-rfc2307 ...

For details, see Provisioning a Samba Active Directory.

Additionally, enable the the Samba RFC2307 module. For details, see Enabling the RFC2307 Configuration Parameter.


Installing the RFC2307 NIS Extensions after AD DC Provisioning

Do not run this procedure until you have checked if it is required. For details, see Verifying_That_the_NIS_Extensions_Are_Installed_in_Active_Directory.


To install the NIS extensions:

  • Locate the domain controller (DC) with the Schema Master flexible single-master operations (FSMO) role:
# samba-tool fsmo show | grep SchemaMasterRole
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
The output shows the name of the DC owning this role. Run all further steps on this DC.
  • Shut down the Samba service.
  • Create a copy of the ypServ30.ldif schema file. For example:
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
  • Replace the variables in copied LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain of your setup. For example:
  • ${DOMAINDN}: DC=samdom,DC=example,DC=com
  • ${NETBIOSNAME}: DC1
  • ${NISDOMAIN}: samdom
# sed -i -e 's/\${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
         -e 's/\${NETBIOSNAME}/DC1/g' \
         -e 's/\${NISDOMAIN}/samdom/g' \
         /tmp/ypServ30.ldif
  • Import the modified LDIF file to the local /usr/local/samba/private/sam.ldb Samba AD database:
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
Modified 55 records successfully
  • Start the Samba service.

The AD replicates the updated schema to all DCs in the forest.