Setting up RFC2307 in AD: Difference between revisions

From SambaWiki
(Removed some content on the "Using RFC2307" page, that was placed on separate pages)
mNo edit summary
(22 intermediate revisions by 5 users not shown)
Line 1: Line 1:
= Introduction =
= Server information used in this HowTo =


The use of [https://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307] attributes allows the storage of Unix user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages:
Inside this HowTo, we will be using the following configuration/settings:
* Central administration of IDs in AD.
* Consistent IDs on all Linux domain members that use the Samba <code>idmap_ad</code> ID map back end.
* Fast configuration of attributes.
* No local ID mapping databases that can corrupt and lead to lose of file ownerships.
* Enable the administrator to set individual login shells and home directory paths for users.
* Login shell and home directory settings are the same on all domain members using Samba <code>idmap_ad</code> ID map back end and <code>winbind nss info = rfc2307</code> parameter.
* Easy management from Windows clients using the Active Directory Users and Computers (ADUC) Microsoft management console (MMC). For details, see [[Maintaining_Unix_Attributes_in_AD_using_ADUC|Maintaining Unix Attributes in AD using ADUC]].


Netbios Name: DC1
LDAP Domain DN: DC=samdom,DC=example,DC=com
DC Name: DC1.samdom.example.com
Netbios/NIS Domain: samdom
Installation Directory: /usr/local/samba/








== RFC2307 on AD Domain Controllers ==


It is recommended to only have the sysvol and netlogon shares on an AD DC, so using RFC2307 id-mappings on the DC is not required. If you want to enable RFC2307 ID mappings on the DC for whatever reason e.g. you have other shares on the DC (not recommended) and are using the winbind 'ad' backend on Unix domain members, you need to ensure that the <code>idmap_ldb:use rfc2307</code> parameter exists in the <code>[global]</code> section of your <code>smb.conf</code> file on the Samba DC and is set to <code>yes</code> :
= Check if RFC2307 is used by your Domain Controllers =

Check if your smb.conf <u>on all your Domain Controllers</u> contain the following parameter in the „[global]“ section:


idmap_ldb:use rfc2307 = yes
idmap_ldb:use rfc2307 = yes


{{Imbox
| type = note
| text = It is not recommended to use RFC2307 mappings on Samba AD DC's. The default idmap.ldb mechanism is fine for domain controllers and less error prone.
}}








= Check if NIS Extensions are installed in your Directory =


== Verifying That the NIS Extensions Are Installed in Active Directory ==
Check if the „ypServ30“ container exists in your directory:


Verify that the <code>ypServ30</code> LDAP tree exists in your Active Directory (AD):
# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com


# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b \
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn


The output should be:


# record 1
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
cn: ypservers
# returned 1 records
# 1 entries
# 0 referrals


If the <code>ldbsearch</code> command returns 1 record, the NIS Extensions are installed.


{{Imbox
= Configuring RFC2307 and NIS Extensions in a Samba AD =
| type = note
| text = The NIS Extensions are only required if you are going to use the ADUC Unix Attributes tabs to manage your users and groups.
}}


== During provisioning your first Domain Controller ==


* Provision your domain with the „--use-rfc2307“ parameter:


# samba-tool domain provision --use-rfc2307 .....


:This automatically enables RFC2307 and installs the NIS Extensions.


== Provisioning a New Samba Active Directory with RFC2307 Enabled ==


When you provision a new Samba AD forest, pass the <code>--use-rfc2307</code> to the <code>samba-tool domain provision</code> command to auto-install the NIS extensions. For example:


# samba-tool domain provision --use-rfc2307 ...
== On additional joined Domain Controllers ==


For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Provisioning_a_Samba_Active_Directory|Provisioning a Samba Active Directory]].
This requires, that [[#Check_if_RFC2307_is_used_by_your_Domain_Controllers|your existing Domain Controllers are already using RFC2307]]!


Additionally, enable the the Samba RFC2307 module. For details, see [[#Enabling_the_RFC2307_Configuration_Parameter|Enabling the RFC2307 Configuration Parameter]].
* Add the following to the „[global]“ section of your smb.conf, after you've joined the domain as a Domain Controller:


idmap_ldb:use rfc2307 = yes


* Restart Samba


=== Installing the NIS Extensions ===
As mentioned in [[#Advantages|Advantages]], login shell and homedir are not fetched even if rfc2307 is used. You may customize these by using the <tt>template shell</tt> and <tt>template login</tt> configuration options in <tt>smb.conf</tt>. Beware that [https://git.samba.org/?p=samba.git;a=commitdiff;h=57228317fc2339b83cccf4b1f3515d8a3b435a3c before samba 4.2], you have to use <tt>%ACCOUNTNAME%</tt> and <tt>%WORKGROUP%</tt> instead of <tt>%U</tt> and <tt>%D</tt> placeholders.


Do not run this procedure if you provisioned your Active Directory (AD) with the <code>--use-rfc2307</code> parameter. For details, see [[#Provisioning_a_New_Samba_Active_Directory_with_RFC2307_Enabled|Provisioning a New Samba Active Directory with RFC2307 Enabled]].


{{Imbox
| type = warning
| text = Updating the Schema can break your AD. Verify you have a working backup before updating the schema.
}}


== Extending the Schema for NIS Extensions ==
To install the NIS extensions:


* Locate the domain controller (DC) with the <code>Schema Master</code> flexible single-master operations (FSMO) role:
'''This procedure [[Samba_AD_Schema_Extenstions|extends your directory schema]]. This will effect your complete Active Directory Forest! Make sure that you have a re-storable [[Backup_and_restore_an_Samba_AD_DC|backup]] of your AD, in case anything fails or breaks your installation!'''

* If you have multiple Domain Controllers, locate the one owning the „Schema Master“ [[Flexible_Single-Master_Operations_(FSMO)_roles|role]] in your forest:


# samba-tool fsmo show | grep SchemaMasterRole
# samba-tool fsmo show | grep SchemaMasterRole
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com


:This indicates, that „DC1“ is currently Schema Master in your forest. Continue with the next steps on this host.
: The output shows the name of the DC owning this role. Run all further steps on this DC.


* Shutdown Samba.
* Shut down the Samba service.


* Create a copy of „ypServ30.ldif“:
* Create a copy of the <code>ypServ30.ldif</code> schema file. For example:


# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/


* Replace the variables in the LDIF file (adapt the values to your environment!):
* Replace the variables in copied LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain of your setup. For example:
:*${DOMAINDN}: <code>DC=samdom,DC=example,DC=com</code>
:*${NETBIOSNAME}: <code>DC1</code>
:*${NISDOMAIN}: <code>samdom</code>


# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
# sed -i -e 's/${DOMAINDN}/<u>DC=samdom,DC=example,DC=com</u>/g' \
-e 's/${NETBIOSNAME}/DC1/g' \
-e 's/${NETBIOSNAME}/<u>DC1</u>/g' \
-e 's/${NISDOMAIN}/samdom/g' \
-e 's/${NISDOMAIN}/<u>samdom</u>/g' \
/tmp/ypServ30.ldif
/tmp/ypServ30.ldif


* Import the modified LDIF file to the local <code>/usr/local/samba/private/sam.ldb</code> Samba AD database:
* Import the schema:


# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
Modified 55 records successfully
Modified 55 records successfully


* Start Samba.
* Start the Samba service.

The AD replicates the updated schema to all DCs in the forest.






----
* The directory replication pushes the new schema automatically to all Domain Controllers inside your forest.
[[Category:Active Directory]]

Revision as of 08:47, 5 April 2021

Introduction

The use of RFC 2307 attributes allows the storage of Unix user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages:

  • Central administration of IDs in AD.
  • Consistent IDs on all Linux domain members that use the Samba idmap_ad ID map back end.
  • Fast configuration of attributes.
  • No local ID mapping databases that can corrupt and lead to lose of file ownerships.
  • Enable the administrator to set individual login shells and home directory paths for users.
  • Login shell and home directory settings are the same on all domain members using Samba idmap_ad ID map back end and winbind nss info = rfc2307 parameter.
  • Easy management from Windows clients using the Active Directory Users and Computers (ADUC) Microsoft management console (MMC). For details, see Maintaining Unix Attributes in AD using ADUC.



RFC2307 on AD Domain Controllers

It is recommended to only have the sysvol and netlogon shares on an AD DC, so using RFC2307 id-mappings on the DC is not required. If you want to enable RFC2307 ID mappings on the DC for whatever reason e.g. you have other shares on the DC (not recommended) and are using the winbind 'ad' backend on Unix domain members, you need to ensure that the idmap_ldb:use rfc2307 parameter exists in the [global] section of your smb.conf file on the Samba DC and is set to yes :

 idmap_ldb:use rfc2307 = yes



Verifying That the NIS Extensions Are Installed in Active Directory

Verify that the ypServ30 LDAP tree exists in your Active Directory (AD):

# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b \
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn

The output should be:

# record 1
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
cn: ypservers

# returned 1 records
# 1 entries
# 0 referrals

If the ldbsearch command returns 1 record, the NIS Extensions are installed.



Provisioning a New Samba Active Directory with RFC2307 Enabled

When you provision a new Samba AD forest, pass the --use-rfc2307 to the samba-tool domain provision command to auto-install the NIS extensions. For example:

# samba-tool domain provision --use-rfc2307 ...

For details, see Provisioning a Samba Active Directory.

Additionally, enable the the Samba RFC2307 module. For details, see Enabling the RFC2307 Configuration Parameter.


Installing the NIS Extensions

Do not run this procedure if you provisioned your Active Directory (AD) with the --use-rfc2307 parameter. For details, see Provisioning a New Samba Active Directory with RFC2307 Enabled.

To install the NIS extensions:

  • Locate the domain controller (DC) with the Schema Master flexible single-master operations (FSMO) role:
# samba-tool fsmo show | grep SchemaMasterRole
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
The output shows the name of the DC owning this role. Run all further steps on this DC.
  • Shut down the Samba service.
  • Create a copy of the ypServ30.ldif schema file. For example:
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
  • Replace the variables in copied LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain of your setup. For example:
  • ${DOMAINDN}: DC=samdom,DC=example,DC=com
  • ${NETBIOSNAME}: DC1
  • ${NISDOMAIN}: samdom
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
         -e 's/${NETBIOSNAME}/DC1/g' \
         -e 's/${NISDOMAIN}/samdom/g' \
         /tmp/ypServ30.ldif
  • Import the modified LDIF file to the local /usr/local/samba/private/sam.ldb Samba AD database:
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
Modified 55 records successfully
  • Start the Samba service.

The AD replicates the updated schema to all DCs in the forest.