Setting up RFC2307 in AD: Difference between revisions

From SambaWiki
m (Fixed link)
(Rewrote documentation. Better structure, clearer wording, added markups, etc.)
Line 1: Line 1:
= Introduction =
= Introduction =


[https://www.rfc-editor.org/rfc/rfc2307.txt RFC2307] defines the possibility to store user and group information in an LDAP directory. This brings several advantages in an Active Directory environment:
[https://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307] defines the possibility to store user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages:
* Central administration of IDs inside Active Directory
* Central administration of IDs in AD.
* Consistent IDs on all Domain Members that use idmap_ad
* Consistent IDs on all Linux domain members that use the Samba <code>idmap_ad</code> ID map back end.
* Fast configuration of attributes.
* Fast setting of attributes: Groups only need a GID assigned, new users UID, NIS domain, login shell, home directory and primary group
* No local ID mapping databases that can corrupt and thus cause lossing file ownerships.
* Central management removes the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts
* Individual login shells and home directory paths for users
* Enable the administrator to set individual login shells and home directory paths for users.
* Login shell and home directory settings are the same on all Domain Members using idmap_ad with winbind nss info = rfc2307
* Login shell and home directory settings are the same on all domain members using Samba <code>idmap_ad</code> ID map back end and <code>winbind nss info = rfc2307</code> parameter.
* Easy [[Administer_Unix_Attributes_in_AD_using_ADUC|user/group management using Active Directory Users and Computers (ADUC)]], which is part of [[Installing RSAT|RSAT]]
* Easy management from Windows clients using the Active Directory Users and Computers (ADUC) Microsoft management console (MMC). For details, see [[Administer_Unix_Attributes_in_AD_using_ADUC|Administer Unix Attributes in AD using ADUC]].


'''See the [[Host_information_used_in_documentation|host information used in documentation]] page for used paths, hostnames, etc.'''








= Verifying the Domain Controller and Active Directory Setup =


Run the following tests to verify if the RFC2307 integration is already enabled in your Active Directory (AD):
= Checks =


== RFC2307 enabled on all Domain Controllers ==



Check if on all Domain Controllers, the following parameter exists and is set to "yes" in the [global] section of your smb.conf:
== Verifying That RFC2307 is Enabled on All Domain Controllers ==

Verify on all Samba domain controllers (DC), that the <code>idmap_ldb:use rfc2307</code> parameter exists and is set to <code>yes</code> in the <code>[global]</code> section of your <code>smb.conf</code> file:


idmap_ldb:use rfc2307 = yes
idmap_ldb:use rfc2307 = yes
Line 26: Line 28:




== NIS Extensions installed inside the directory ==
== Verifying That the NIS Extensions Are Installed in Active Directory ==


Verify that the <code>ypServ30</code> LDAP tree exists in your Active Directory (AD):
Check if the "ypServ30" container exists in your directory. In this case, the NIS extensions are already installed in AD. The following command shows all attributes of the container, if it exists:


# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn
# record 1
# record 1
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: container
cn: ypservers
cn: ypservers
instanceType: 4
whenCreated: 20140902205150.0Z
whenChanged: 20140902205150.0Z
uSNCreated: 3766
uSNChanged: 3766
showInAdvancedViewOnly: TRUE
name: ypservers
objectGUID: 10ad9cf7-0d89-4ea7-bc92-f06cc43cb951
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=samdom,DC=example,D
C=com
distinguishedName: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom
,DC=example,DC=com
# returned 1 records
# returned 1 records
Line 53: Line 41:
# 0 referrals
# 0 referrals


If the <code>ldbsearch</code> command returns 1 record, the NIS Extensions are installed.








= Setup RFC2307 and NIS Extensions in a Samba AD =


= Setting up RFC2307 and NIS Extensions in a Samba AD =
== During provisioning the first Domain Controller ==


== Provisioning a New Samba Active Directory with RFC2307 Enabled ==
Provision your domain with the "--use-rfc2307" parameter, to enable RFC2307 and install the NIS extensions.

When you provision a new Samba AD forest, pass the <code>--use-rfc2307</code> to the <code>samba-tool domain provision</code> command to auto-install the NIS extensions. For example:


# samba-tool domain provision --use-rfc2307 ...
# samba-tool domain provision --use-rfc2307 ...


For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Provisioning_a_Samba_Active_Directory|Provisioning a Samba Active Directory]].


Additionally, enable the the Samba RFC2307 module. For details, see [[#Enabling_the_RFC2307_Configuration_Parameter|Enabling the RFC2307 Configuration Parameter]].


== On an already running AD ==


=== Enable RFC2307 ===


== Enabling RFC2307 in an Existing Active Directory ==
* Add the following to the [global] section of your smb.conf:

=== Enabling the RFC2307 Configuration Parameter ===

* Add the following parameter to the <code>[global]</code> section of your <code>smb.conf</code> file:


idmap_ldb:use rfc2307 = yes
idmap_ldb:use rfc2307 = yes


* Restart Samba
* Restart Samba.





=== Installing the NIS Extensions ===


Do not run this procedure if you provisioned your Active Directory (AD) with the <code>--use-rfc2307</code> parameter. For details, see [[#Provisioning_a_New_Samba_Active_Directory_with_RFC2307_Enabled|Provisioning a New Samba Active Directory with RFC2307 Enabled]].
=== Installing NIS extensions ===


{{Imbox
'''This procedure [[Samba_AD_schema_extensions|extends your directory schema]]! This will effect your complete Active Directory Forest. Make sure that you have a recoverable [[Backup_and_restore_an_Samba_AD_DC|backup]] of your AD, in case anything fails or breaks your installation!'''
| type = warning
| text = Updating the Schema can break your AD. Verify you have a working backup before updating the schema.
}}


To install the NIS extensions:
* You only need to do this if the first DC wasn't provisioned with "--use-rfc2307" and now need to use the NIS extensions. If unsure, see [[#NIS_Extensions_installed_inside_the_directory|if NIS Extensions are installed]]


* Locate the domain controller (DC) with the <code>Schema Master</code> flexible single-master operations (FSMO) role:
* If running multiple Domain Controllers in your AD forest, locate the [[Flexible_Single-Master_Operations_(FSMO)_Roles#Schema_Master|Schema Master]]:


# samba-tool fsmo show | grep SchemaMasterRole
# samba-tool fsmo show | grep SchemaMasterRole
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com


:This indicates, that "DC1" is currently owing the Schema Master role in your forest. Continue with the next steps on this host.
: The output shows the name of the DC owning this role. Run all further steps on this DC.


* Shutdown Samba
* Shut down the Samba service.


* Create a copy of "ypServ30.ldif":
* Create a copy of the <code>ypServ30.ldif</code> schema file. For example:


# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/


* Replace the variables in the LDIF file with the ones of your directory/domain:
* Replace the variables in copied LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain of your setup. For example:
:*${DOMAINDN}: <code>DC=samdom,DC=example,DC=com</code>
:*${NETBIOSNAME}: <code>DC1</code>
:*${NISDOMAIN}: <code>samdom</code>


# sed -i -e 's/${DOMAINDN}/<u>DC=samdom,DC=example,DC=com</u>/g' \
# sed -i -e 's/${DOMAINDN}/<u>DC=samdom,DC=example,DC=com</u>/g' \
Line 105: Line 107:
/tmp/ypServ30.ldif
/tmp/ypServ30.ldif


* Import the modified LDIF file to the local <code>/usr/local/samba/private/sam.ldb</code> Samba AD database:
* Import the schema:


# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
Modified 55 records successfully
Modified 55 records successfully


* Start Samba
* Start the Samba service.


* The directory replication pushes the new schema automatically to all Domain Controllers inside the forest
The AD replicates the updated schema to all DCs in the forest.

Revision as of 22:18, 2 November 2016

Introduction

RFC 2307 defines the possibility to store user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages:

  • Central administration of IDs in AD.
  • Consistent IDs on all Linux domain members that use the Samba idmap_ad ID map back end.
  • Fast configuration of attributes.
  • No local ID mapping databases that can corrupt and thus cause lossing file ownerships.
  • Enable the administrator to set individual login shells and home directory paths for users.
  • Login shell and home directory settings are the same on all domain members using Samba idmap_ad ID map back end and winbind nss info = rfc2307 parameter.
  • Easy management from Windows clients using the Active Directory Users and Computers (ADUC) Microsoft management console (MMC). For details, see Administer Unix Attributes in AD using ADUC.



Verifying the Domain Controller and Active Directory Setup

Run the following tests to verify if the RFC2307 integration is already enabled in your Active Directory (AD):


Verifying That RFC2307 is Enabled on All Domain Controllers

Verify on all Samba domain controllers (DC), that the idmap_ldb:use rfc2307 parameter exists and is set to yes in the [global] section of your smb.conf file:

 idmap_ldb:use rfc2307 = yes


Verifying That the NIS Extensions Are Installed in Active Directory

Verify that the ypServ30 LDAP tree exists in your Active Directory (AD):

ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn
# record 1
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
cn: ypservers

# returned 1 records
# 1 entries
# 0 referrals

If the ldbsearch command returns 1 record, the NIS Extensions are installed.



Setting up RFC2307 and NIS Extensions in a Samba AD

Provisioning a New Samba Active Directory with RFC2307 Enabled

When you provision a new Samba AD forest, pass the --use-rfc2307 to the samba-tool domain provision command to auto-install the NIS extensions. For example:

# samba-tool domain provision --use-rfc2307 ...

For details, see Provisioning a Samba Active Directory.

Additionally, enable the the Samba RFC2307 module. For details, see Enabling the RFC2307 Configuration Parameter.


Enabling RFC2307 in an Existing Active Directory

Enabling the RFC2307 Configuration Parameter

  • Add the following parameter to the [global] section of your smb.conf file:
 idmap_ldb:use rfc2307 = yes
  • Restart Samba.


Installing the NIS Extensions

Do not run this procedure if you provisioned your Active Directory (AD) with the --use-rfc2307 parameter. For details, see Provisioning a New Samba Active Directory with RFC2307 Enabled.

To install the NIS extensions:

  • Locate the domain controller (DC) with the Schema Master flexible single-master operations (FSMO) role:
# samba-tool fsmo show | grep SchemaMasterRole
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
The output shows the name of the DC owning this role. Run all further steps on this DC.
  • Shut down the Samba service.
  • Create a copy of the ypServ30.ldif schema file. For example:
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
  • Replace the variables in copied LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain of your setup. For example:
  • ${DOMAINDN}: DC=samdom,DC=example,DC=com
  • ${NETBIOSNAME}: DC1
  • ${NISDOMAIN}: samdom
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
         -e 's/${NETBIOSNAME}/DC1/g' \
         -e 's/${NISDOMAIN}/samdom/g' \
         /tmp/ypServ30.ldif
  • Import the modified LDIF file to the local /usr/local/samba/private/sam.ldb Samba AD database:
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
Modified 55 records successfully
  • Start the Samba service.

The AD replicates the updated schema to all DCs in the forest.