Setting up RFC2307 in AD: Difference between revisions
m (Added line to advise that adding nis extensions is only required if not provisioned with --use-rfc2307) |
(remove section, which contained redundant, incomplete information) |
||
(11 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
[https://www.rfc-editor.org/rfc/rfc2307.txt |
[https://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307] defines the possibility to store user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages: |
||
* Central administration of IDs |
* Central administration of IDs in AD. |
||
* Consistent IDs on all |
* Consistent IDs on all Linux domain members that use the Samba <code>idmap_ad</code> ID map back end. |
||
* Fast configuration of attributes. |
|||
* Fast setting of attributes: Groups only need a GID assigned, new users UID, NIS domain, login shell, home directory and primary group |
|||
* No local ID mapping databases that can corrupt and thus cause lossing file ownerships. |
|||
* Central management removes the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts |
|||
* |
* Enable the administrator to set individual login shells and home directory paths for users. |
||
* Login shell and home directory settings are the same on all |
* Login shell and home directory settings are the same on all domain members using Samba <code>idmap_ad</code> ID map back end and <code>winbind nss info = rfc2307</code> parameter. |
||
* Easy |
* Easy management from Windows clients using the Active Directory Users and Computers (ADUC) Microsoft management console (MMC). For details, see [[Maintaining_Unix_Attributes_in_AD_using_ADUC|Maintaining Unix Attributes in AD using ADUC]]. |
||
'''See the [[Server_information_used_in_documentation|server information used in documentation]] page for paths used, hostnames, etc.''' |
|||
= Checks = |
|||
= Verifying the Domain Controller and Active Directory Setup = |
|||
To verify, if RFC2307 is already installed in your AD, do the following checks. |
|||
Run the following tests to verify if the RFC2307 integration is already enabled in your Active Directory (AD): |
|||
⚫ | |||
⚫ | |||
Check if on all Domain Controllers, the following parameter exists and is set to "yes" in the [global] section of your smb.conf: |
|||
On a AD DC there should not be more than the sysvol and netlogon share, so the usage of unified RFC2307 idmappings is not really important. If you want to enable RFC2307 ID mappings on the DC for whatever reason, the you would have to verify on the Samba DC, that the <code>idmap_ldb:use rfc2307</code> parameter exists and is set to <code>yes</code> in the <code>[global]</code> section of your <code>smb.conf</code> file: |
|||
idmap_ldb:use rfc2307 = yes |
idmap_ldb:use rfc2307 = yes |
||
It is recommended not to use those mappings on the DCs. The default idmap ldb mechanism is fine for domain controllers and less error prone. |
|||
== NIS Extensions |
== Verifying That the NIS Extensions Are Installed in Active Directory == |
||
Verify that the <code>ypServ30</code> LDAP tree exists in your Active Directory (AD): |
|||
ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn |
|||
# record 1 |
# record 1 |
||
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com |
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com |
||
objectClass: top |
|||
objectClass: container |
|||
cn: ypservers |
cn: ypservers |
||
instanceType: 4 |
|||
whenCreated: 20140902205150.0Z |
|||
whenChanged: 20140902205150.0Z |
|||
uSNCreated: 3766 |
|||
uSNChanged: 3766 |
|||
showInAdvancedViewOnly: TRUE |
|||
name: ypservers |
|||
objectGUID: 10ad9cf7-0d89-4ea7-bc92-f06cc43cb951 |
|||
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=samdom,DC=example,D |
|||
C=com |
|||
distinguishedName: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom |
|||
,DC=example,DC=com |
|||
# returned 1 records |
# returned 1 records |
||
Line 55: | Line 42: | ||
# 0 referrals |
# 0 referrals |
||
If the <code>ldbsearch</code> command returns 1 record, the NIS Extensions are installed. |
|||
⚫ | |||
⚫ | |||
== During provisioning the first Domain Controller == |
|||
== Provisioning a New Samba Active Directory with RFC2307 Enabled == |
|||
Provision your domain with the "--use-rfc2307" parameter, to enable RFC2307 and install the NIS extensions. |
|||
When you provision a new Samba AD forest, pass the <code>--use-rfc2307</code> to the <code>samba-tool domain provision</code> command to auto-install the NIS extensions. For example: |
|||
# samba-tool domain provision --use-rfc2307 ... |
# samba-tool domain provision --use-rfc2307 ... |
||
For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Provisioning_a_Samba_Active_Directory|Provisioning a Samba Active Directory]]. |
|||
Additionally, enable the the Samba RFC2307 module. For details, see [[#Enabling_the_RFC2307_Configuration_Parameter|Enabling the RFC2307 Configuration Parameter]]. |
|||
== On an already running AD == |
|||
=== Enable RFC2307 === |
|||
⚫ | |||
* Add the following to the [global] section of your smb.conf: |
|||
Do not run this procedure if you provisioned your Active Directory (AD) with the <code>--use-rfc2307</code> parameter. For details, see [[#Provisioning_a_New_Samba_Active_Directory_with_RFC2307_Enabled|Provisioning a New Samba Active Directory with RFC2307 Enabled]]. |
|||
idmap_ldb:use rfc2307 = yes |
|||
* Restart Samba |
|||
{{Imbox |
|||
| type = warning |
|||
| text = Updating the Schema can break your AD. Verify you have a working backup before updating the schema. |
|||
}} |
|||
To install the NIS extensions: |
|||
* Locate the domain controller (DC) with the <code>Schema Master</code> flexible single-master operations (FSMO) role: |
|||
⚫ | |||
'''This procedure [[Samba_AD_schema_extensions|extends your directory schema]]! This will effect your complete Active Directory Forest. Make sure that you have a recoverable [[Backup_and_restore_an_Samba_AD_DC|backup]] of your AD, in case anything fails or breaks your installation!''' |
|||
* You only need to do this if the first DC wasn't provisioned with '--use-rfc2307' and now need to use the NIS extensions. |
|||
* If running multiple Domain Controllers in your AD forest, locate the [[Flexible_Single-Master_Operations_(FSMO)_roles#Schema_Master|Schema Master]]: |
|||
# samba-tool fsmo show | grep SchemaMasterRole |
# samba-tool fsmo show | grep SchemaMasterRole |
||
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com |
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com |
||
: |
: The output shows the name of the DC owning this role. Run all further steps on this DC. |
||
* |
* Shut down the Samba service. |
||
* Create a copy of |
* Create a copy of the <code>ypServ30.ldif</code> schema file. For example: |
||
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/ |
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/ |
||
* Replace the variables in |
* Replace the variables in copied LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain of your setup. For example: |
||
:*${DOMAINDN}: <code>DC=samdom,DC=example,DC=com</code> |
|||
:*${NETBIOSNAME}: <code>DC1</code> |
|||
:*${NISDOMAIN}: <code>samdom</code> |
|||
# sed -i -e 's/${DOMAINDN}/<u>DC=samdom,DC=example,DC=com</u>/g' \ |
# sed -i -e 's/${DOMAINDN}/<u>DC=samdom,DC=example,DC=com</u>/g' \ |
||
Line 107: | Line 96: | ||
/tmp/ypServ30.ldif |
/tmp/ypServ30.ldif |
||
* Import the modified LDIF file to the local <code>/usr/local/samba/private/sam.ldb</code> Samba AD database: |
|||
* Import the schema: |
|||
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true |
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true |
||
Modified 55 records successfully |
Modified 55 records successfully |
||
* Start Samba |
* Start the Samba service. |
||
The AD replicates the updated schema to all DCs in the forest. |
|||
---- |
|||
* The directory replication pushes the new schema automatically to all Domain Controllers inside the forest |
|||
[[Category:Active Directory]] |
Revision as of 13:02, 22 November 2017
Introduction
RFC 2307 defines the possibility to store user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages:
- Central administration of IDs in AD.
- Consistent IDs on all Linux domain members that use the Samba
idmap_ad
ID map back end. - Fast configuration of attributes.
- No local ID mapping databases that can corrupt and thus cause lossing file ownerships.
- Enable the administrator to set individual login shells and home directory paths for users.
- Login shell and home directory settings are the same on all domain members using Samba
idmap_ad
ID map back end andwinbind nss info = rfc2307
parameter. - Easy management from Windows clients using the Active Directory Users and Computers (ADUC) Microsoft management console (MMC). For details, see Maintaining Unix Attributes in AD using ADUC.
Verifying the Domain Controller and Active Directory Setup
Run the following tests to verify if the RFC2307 integration is already enabled in your Active Directory (AD):
RFC2307 on AD Domain Controllers
On a AD DC there should not be more than the sysvol and netlogon share, so the usage of unified RFC2307 idmappings is not really important. If you want to enable RFC2307 ID mappings on the DC for whatever reason, the you would have to verify on the Samba DC, that the idmap_ldb:use rfc2307
parameter exists and is set to yes
in the [global]
section of your smb.conf
file:
idmap_ldb:use rfc2307 = yes
It is recommended not to use those mappings on the DCs. The default idmap ldb mechanism is fine for domain controllers and less error prone.
Verifying That the NIS Extensions Are Installed in Active Directory
Verify that the ypServ30
LDAP tree exists in your Active Directory (AD):
ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn # record 1 dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn: ypservers # returned 1 records # 1 entries # 0 referrals
If the ldbsearch
command returns 1 record, the NIS Extensions are installed.
Setting up RFC2307 and NIS Extensions in a Samba AD
Provisioning a New Samba Active Directory with RFC2307 Enabled
When you provision a new Samba AD forest, pass the --use-rfc2307
to the samba-tool domain provision
command to auto-install the NIS extensions. For example:
# samba-tool domain provision --use-rfc2307 ...
For details, see Provisioning a Samba Active Directory.
Additionally, enable the the Samba RFC2307 module. For details, see Enabling the RFC2307 Configuration Parameter.
Installing the NIS Extensions
Do not run this procedure if you provisioned your Active Directory (AD) with the --use-rfc2307
parameter. For details, see Provisioning a New Samba Active Directory with RFC2307 Enabled.
Updating the Schema can break your AD. Verify you have a working backup before updating the schema. |
To install the NIS extensions:
- Locate the domain controller (DC) with the
Schema Master
flexible single-master operations (FSMO) role:
# samba-tool fsmo show | grep SchemaMasterRole SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
- The output shows the name of the DC owning this role. Run all further steps on this DC.
- Shut down the Samba service.
- Create a copy of the
ypServ30.ldif
schema file. For example:
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
- Replace the variables in copied LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain of your setup. For example:
- ${DOMAINDN}:
DC=samdom,DC=example,DC=com
- ${NETBIOSNAME}:
DC1
- ${NISDOMAIN}:
samdom
- ${DOMAINDN}:
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \ -e 's/${NETBIOSNAME}/DC1/g' \ -e 's/${NISDOMAIN}/samdom/g' \ /tmp/ypServ30.ldif
- Import the modified LDIF file to the local
/usr/local/samba/private/sam.ldb
Samba AD database:
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true Modified 55 records successfully
- Start the Samba service.
The AD replicates the updated schema to all DCs in the forest.