Difference between revisions of "Setting up RFC2307 in AD"

m (Advantages: Removed part about using login shell & home on 4.2, you still cannot!!)
m (make clear where multiline command ends)
 
(30 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
== What is RFC2307? ==
+
[https://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307] defines the possibility to store user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages:
 +
* Central administration of IDs in AD.
 +
* Consistent IDs on all Linux domain members that use the Samba <code>idmap_ad</code> ID map back end.
 +
* Fast configuration of attributes.
 +
* No local ID mapping databases that can corrupt and thus cause lossing file ownerships.
 +
* Enable the administrator to set individual login shells and home directory paths for users.
 +
* Login shell and home directory settings are the same on all domain members using Samba <code>idmap_ad</code> ID map back end and <code>winbind nss info = rfc2307</code> parameter.
 +
* Easy management from Windows clients using the Active Directory Users and Computers (ADUC) Microsoft management console (MMC). For details, see [[Maintaining_Unix_Attributes_in_AD_using_ADUC|Maintaining Unix Attributes in AD using ADUC]].
  
[https://www.rfc-editor.org/rfc/rfc2307.txt RFC2307] defines the possibility to store e. g. user and group information in an LDAP directory. This allows central administration with several [[#Advantages|advantages]].
 
  
RFC2307 attributes are by default in place in a Samba Active Directory. You just have to configure Samba to use them instead of local ID mapping.
 
  
  
  
== What are NIS Extensions? ==
+
= Verifying the Domain Controller and Active Directory Setup =
  
With a simple schema extension for NIS (Network Information System), additional information can be managed in Active Directory. This allows you e. g. to easily manage users/groups using the Windows tools like ADUC, without manual counting UIDs/GIDs.
+
Run the following tests to verify if the RFC2307 integration is already enabled in your Active Directory (AD):
  
  
  
== Server information used in this HowTo ==
+
== RFC2307 on AD Domain Controllers ==
  
Inside this HowTo, we will be using the following configuration/settings:
+
On a AD DC there should not be more than the sysvol and netlogon share, so the usage of unified RFC2307 idmappings is not really important. If you want to enable RFC2307 ID mappings on the DC for whatever reason, the you would have to verify on the Samba DC, that the <code>idmap_ldb:use rfc2307</code> parameter exists and is set to <code>yes</code> in the <code>[global]</code> section of your <code>smb.conf</code> file:
  
Netbios Name:           DC1
+
  idmap_ldb:use rfc2307 = yes
LDAP Domain DN:        DC=samdom,DC=example,DC=com
 
DC Name:                DC1.samdom.example.com
 
Netbios/NIS Domain:    samdom
 
Installation Directory: /usr/local/samba/
 
  
 +
It is recommended not to use those mappings on the DCs. The default idmap ldb mechanism is fine for domain controllers and less error prone.
  
  
 +
==  Verifying That the NIS Extensions Are Installed in Active Directory ==
  
 +
Verify that the <code>ypServ30</code> LDAP tree exists in your Active Directory (AD):
  
= Advantages =
+
# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b \
 +
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn
  
RFC2307 and the installed NIS Extensions in your Samba Active Directory will not cause any problem or harm, even if you don't need to use them (yet). Enabling this feature, provides a bunch of advantages:
+
The output should be:
  
* Central administration of users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) directly in Active Directory.
+
# record 1
 
+
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
* Consistent user and group information across multiple machines.
+
  cn: ypservers
 
 
* Individual settings for users (e. g. for Login Shell). Other mapping technologies typically use global template settings for all accounts on a host.
 
:'''Note''': Samba AD DCs, do not fetch login shell and home, they only fetch UID & GID.
 
 
 
* Central management stops the necessity for local ID mapping that can cause incorrect file ownership, if the local database corrupts.
 
 
 
* Easy user/group management via the default Microsoft tools (e. g. Active Directory Users and Computers), which are part of [[Installing_RSAT_on_Windows_for_AD_Management|RSAT]].
 
 
 
* No need for manual ID counting when using the default Microsoft tools. E. g. the next free UID and GID is stored directly in Active Directory and will be incremented when creating a new user or group.
 
 
 
* No disadvantages if enabled and not used. ;-)
 
 
 
= Possible problems, when RFC2307 is not used =
 
 
 
If you don't use the advantages of a central managed account/group database, then it is handled by each server itself, through [[Winbind|Winbind]], [[Local_user_management_and_authentication/nslcd|nslcd]] or [[Local_user_management_and_authentication/sssd|sssd]]. One result is that users have different UIDs on each [[Setup_a_Samba_AD_Member_Server|Member Server]]. Example:
 
 
 
  On Member Server 1:
 
 
# getent passwd demo1
 
SAMDOM\demo1:*:<u>3000022</u>:100:demo1:/home/SAMDOM/demo1:/bin/false
 
 
 
On Member Server 2
 
 
   
 
   
  # getent passwd demo1
+
  # returned 1 records
  SAMDOM\demo1:*:<u>3000019</u>:100:demo1:/home/SAMDOM/demo1:/bin/false
+
  # 1 entries
 
+
# 0 referrals
As long as the server is only accessed through Samba, this won't be a problem. However if you e. g. directly copy files between the servers on the filesystem level, the same account will not be able to access the files any more, because it will have a different UID on the destination server. If some other account owns the UID on the destination, they will be able to access the files!
 
 
 
 
 
 
 
 
 
 
 
= Check if RFC2307 is used by your Domain Controllers =
 
  
Check if your smb.conf <u>on all your Domain Controllers</u> contain the following parameter in the „[global]“ section:
+
If the <code>ldbsearch</code> command returns 1 record, the NIS Extensions are installed.
  
  idmap_ldb:use rfc2307 = yes
+
= Setting up RFC2307 and NIS Extensions in a Samba AD =
  
 +
== Provisioning a New Samba Active Directory with RFC2307 Enabled ==
  
 +
When you provision a new Samba AD forest, pass the <code>--use-rfc2307</code> to the <code>samba-tool domain provision</code> command to auto-install the NIS extensions. For example:
  
 +
# samba-tool domain provision --use-rfc2307 ...
  
 +
For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Provisioning_a_Samba_Active_Directory|Provisioning a Samba Active Directory]].
  
= Check if NIS Extensions are installed in your Directory =
+
Additionally, enable the the Samba RFC2307 module. For details, see [[#Enabling_the_RFC2307_Configuration_Parameter|Enabling the RFC2307 Configuration Parameter]].
  
Check if the „ypServ30“ container exists in your directory:
 
  
# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
 
  
 +
=== Installing the NIS Extensions ===
  
 +
Do not run this procedure if you provisioned your Active Directory (AD) with the <code>--use-rfc2307</code> parameter. For details, see [[#Provisioning_a_New_Samba_Active_Directory_with_RFC2307_Enabled|Provisioning a New Samba Active Directory with RFC2307 Enabled]].
  
 +
{{Imbox
 +
| type = warning
 +
| text = Updating the Schema can break your AD. Verify you have a working backup before updating the schema.
 +
}}
  
 +
To install the NIS extensions:
  
= Configuring RFC2307 and NIS Extensions in a Samba AD =
+
* Locate the domain controller (DC) with the <code>Schema Master</code> flexible single-master operations (FSMO) role:
 
 
== During provisioning your first Domain Controller ==
 
 
 
* Provision your domain with the „--use-rfc2307“ parameter:
 
 
 
# samba-tool domain provision --use-rfc2307 .....
 
 
 
:This automatically enables RFC2307 and installs the NIS Extensions.
 
 
 
 
 
 
 
== On additional joined Domain Controllers ==
 
 
 
This requires, that [[#Check_if_RFC2307_is_used_by_your_Domain_Controllers|your existing Domain Controllers are already using RFC2307]]!
 
 
 
* Add the following to the „[global]“ section of your smb.conf, after you've joined the domain as a Domain Controller:
 
 
 
  idmap_ldb:use rfc2307 = yes
 
 
 
* Restart Samba
 
 
 
As mentioned in [[#Advantages|Advantages]], login shell and homedir aren't fetched even if when using rfc2307. You may customize their template using <tt>template shell</tt> and <tt>template login</tt> configuration options in <tt>smb.conf</tt>. Beware that [https://git.samba.org/?p=samba.git;a=commitdiff;h=57228317fc2339b83cccf4b1f3515d8a3b435a3c before samba 4.2], you've to use <tt>%ACCOUNTNAME%</tt> and <tt>%WORKGROUP%</tt> instead of <tt>%U</tt> and <tt>%D</tt> placeholders.
 
 
 
 
 
 
 
== Extending the Schema for NIS Extensions ==
 
 
 
'''This procedure [[Samba_AD_Schema_Extenstions|extends your directory schema]]. This will effect your complete Active Directory Forest! Make sure, that you have a restorable [[Backup_and_Recovery|backup]] of your AD, for the case that anything fails or breaks your installation!'''
 
 
 
* If you have multiple Domain Controllers, locate the one owning the „Schema Master“ [[Flexible_Single-Master_Operations_(FSMO)_roles|role]] in your forest:
 
  
 
  # samba-tool fsmo show | grep SchemaMasterRole
 
  # samba-tool fsmo show | grep SchemaMasterRole
 
 
  SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
 
  SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
  
:This indicates, that „DC1“ is currently Schema Master in your forest. Continue with the next steps on this host.
+
: The output shows the name of the DC owning this role. Run all further steps on this DC.
  
* Shutdown Samba.
+
* Shut down the Samba service.
  
* Create a copy of „ypServ30.ldif“:
+
* Create a copy of the <code>ypServ30.ldif</code> schema file. For example:
  
 
  # cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
 
  # cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
  
* Replace the variables in the LDIF file (adapt the values to your environment!):
+
* Replace the variables in copied LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain of your setup. For example:
 +
:*${DOMAINDN}: <code>DC=samdom,DC=example,DC=com</code>
 +
:*${NETBIOSNAME}: <code>DC1</code>
 +
:*${NISDOMAIN}: <code>samdom</code>
  
  # sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
+
  # sed -i -e 's/${DOMAINDN}/<u>DC=samdom,DC=example,DC=com</u>/g' \
           -e 's/${NETBIOSNAME}/DC1/g' \
+
           -e 's/${NETBIOSNAME}/<u>DC1</u>/g' \
           -e 's/${NISDOMAIN}/samdom/g' \
+
           -e 's/${NISDOMAIN}/<u>samdom</u>/g' \
 
           /tmp/ypServ30.ldif
 
           /tmp/ypServ30.ldif
  
* Import the schema
+
* Import the modified LDIF file to the local <code>/usr/local/samba/private/sam.ldb</code> Samba AD database:
  
 
  # ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
 
  # ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
 
 
  Modified 55 records successfully
 
  Modified 55 records successfully
  
* Start Samba.
+
* Start the Samba service.
 
 
* The directory replication pushes the new schema automatically to all Domain Controllers inside your forest.
 
 
 
 
 
 
 
 
 
 
 
= Administer Unix Attributes in Active Directory =
 
 
 
'''The actions described in this section require to have the [[#Configuring_RFC2307_and_NIS_Extensions_in_a_Samba_AD|NIS Extensions]] enabled. Additionally, the Windows [[Installing_RSAT_on_Windows_for_AD_Management|Remote Server Administration Tools (RSAT)]] have to be installed. See the [[Installing_RSAT_on_Windows_for_AD_Management#Installation|RSAT installation section]], for installing all recommended modules. At least the functions <u>"AD DS Tools" and "Server for NIS Tools"</u> are required for the following steps!'''
 
 
 
 
 
 
 
 
 
 
 
== Using ADUC to set Unix Attributes on a user account ==
 
 
 
* Open ADUC.
 
 
 
* Right-click to a user account and choose properties.
 
 
 
* Navigate to the „UNIX Attributes“ tab.
 
:''Note: If you don't see this tab, you haven't installed the [[Installing_RSAT_on_Windows_for_AD_Management#Installation|RSAT function "Server for NIS Tools"]].''
 
 
 
* When choosing the „NIS Domain“, the other fields are getting enabled. Fill the values as required.
 
:''Hint: As primary group you can only choose [[#Using_ADUC_to_set_Unix_Attributes_on_groups|groups, that have Unix attributes defined]]!''
 
 
 
:[[Image:ADUC_Unix_Attributes_User.png]]
 
 
 
* Click „OK“ to save your changes.
 
 
 
 
 
 
 
== Using ADUC to set Unix Attributes on groups ==
 
 
 
* Open ADUC.
 
 
 
* Right-click to a group and choose properties.
 
 
 
* Navigate to the „UNIX Attributes“ tab.
 
:''Note: If the tab isn't visible, you haven't installed the [[Installing_RSAT_on_Windows_for_AD_Management#Installation|RSAT function "Server for NIS Tools"]].''
 
 
 
* The other fields are not enabled until the "NIS Domain" is chosen, fill the values as required.
 
:''Hint: It's not required to add users to the group in this tab! Winbind, sssd and nslcd retrieve the account membership from the Windows groups (see „Member Of“-tab).''
 
 
 
:[[Image:ADUC_Unix_Attributes_Groups.png]]
 
 
 
* Click „OK“ to save your changes.
 
 
 
== Defining the next UID/GID to use ==
 
  
Every time a UID/GID is assigned using Active Directory Users and Computers (ADUC), <u>the next</u> unused UID/GID is stored inside the Active Directory.
+
The AD replicates the updated schema to all DCs in the forest.
  
By default, Active Directory starts assigning UIDs & GIDs at 10000.
 
  
You can change the next UID/GID that will be assigned. E. g. if you require to start UIDs at 20000 and GID at 50000, change the values on a Domain Controller:
 
  
# ldbedit -H /usr/local/samba/private/sam.ldb -b CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
 
  
Adapt the following two attributes to your needs and save the changes.
 
  
msSFU30MaxUidNumber: 20000
+
----
msSFU30MaxGidNumber: 50000
+
[[Category:Active Directory]]

Latest revision as of 13:42, 27 April 2018

Introduction

RFC 2307 defines the possibility to store user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages:

  • Central administration of IDs in AD.
  • Consistent IDs on all Linux domain members that use the Samba idmap_ad ID map back end.
  • Fast configuration of attributes.
  • No local ID mapping databases that can corrupt and thus cause lossing file ownerships.
  • Enable the administrator to set individual login shells and home directory paths for users.
  • Login shell and home directory settings are the same on all domain members using Samba idmap_ad ID map back end and winbind nss info = rfc2307 parameter.
  • Easy management from Windows clients using the Active Directory Users and Computers (ADUC) Microsoft management console (MMC). For details, see Maintaining Unix Attributes in AD using ADUC.



Verifying the Domain Controller and Active Directory Setup

Run the following tests to verify if the RFC2307 integration is already enabled in your Active Directory (AD):


RFC2307 on AD Domain Controllers

On a AD DC there should not be more than the sysvol and netlogon share, so the usage of unified RFC2307 idmappings is not really important. If you want to enable RFC2307 ID mappings on the DC for whatever reason, the you would have to verify on the Samba DC, that the idmap_ldb:use rfc2307 parameter exists and is set to yes in the [global] section of your smb.conf file:

 idmap_ldb:use rfc2307 = yes

It is recommended not to use those mappings on the DCs. The default idmap ldb mechanism is fine for domain controllers and less error prone.


Verifying That the NIS Extensions Are Installed in Active Directory

Verify that the ypServ30 LDAP tree exists in your Active Directory (AD):

# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b \
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn

The output should be:

# record 1
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
cn: ypservers

# returned 1 records
# 1 entries
# 0 referrals

If the ldbsearch command returns 1 record, the NIS Extensions are installed.

Setting up RFC2307 and NIS Extensions in a Samba AD

Provisioning a New Samba Active Directory with RFC2307 Enabled

When you provision a new Samba AD forest, pass the --use-rfc2307 to the samba-tool domain provision command to auto-install the NIS extensions. For example:

# samba-tool domain provision --use-rfc2307 ...

For details, see Provisioning a Samba Active Directory.

Additionally, enable the the Samba RFC2307 module. For details, see Enabling the RFC2307 Configuration Parameter.


Installing the NIS Extensions

Do not run this procedure if you provisioned your Active Directory (AD) with the --use-rfc2307 parameter. For details, see Provisioning a New Samba Active Directory with RFC2307 Enabled.

To install the NIS extensions:

  • Locate the domain controller (DC) with the Schema Master flexible single-master operations (FSMO) role:
# samba-tool fsmo show | grep SchemaMasterRole
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
The output shows the name of the DC owning this role. Run all further steps on this DC.
  • Shut down the Samba service.
  • Create a copy of the ypServ30.ldif schema file. For example:
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
  • Replace the variables in copied LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain of your setup. For example:
  • ${DOMAINDN}: DC=samdom,DC=example,DC=com
  • ${NETBIOSNAME}: DC1
  • ${NISDOMAIN}: samdom
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
         -e 's/${NETBIOSNAME}/DC1/g' \
         -e 's/${NISDOMAIN}/samdom/g' \
         /tmp/ypServ30.ldif
  • Import the modified LDIF file to the local /usr/local/samba/private/sam.ldb Samba AD database:
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
Modified 55 records successfully
  • Start the Samba service.

The AD replicates the updated schema to all DCs in the forest.