Setting up RFC2307 in AD: Difference between revisions

From SambaWiki
m (→‎Advantages: Removed part about using login shell & home on 4.2, you still cannot!!)
 
(37 intermediate revisions by 6 users not shown)
Line 1: Line 1:
= Introduction =
= Introduction =


The use of [https://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307] attributes allows the storage of Unix user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages:
== What is RFC2307? ==
* Central administration of IDs in AD.
* Consistent IDs on all Linux domain members that use the Samba <code>idmap_ad</code> ID map back end.
* Fast configuration of attributes.
* No local ID mapping databases that can corrupt and lead to lose of file ownerships.
* Enable the administrator to set individual login shells and home directory paths for users.
* Login shell and home directory settings are the same on all domain members using Samba <code>idmap_ad</code> ID map back end and <code>winbind nss info = rfc2307</code> parameter.
* Easy management from Windows clients using the Active Directory Users and Computers (ADUC) Microsoft management console (MMC). For details, see [[Maintaining_Unix_Attributes_in_AD_using_ADUC|Maintaining Unix Attributes in AD using ADUC]].


[https://www.rfc-editor.org/rfc/rfc2307.txt RFC2307] defines the possibility to store e. g. user and group information in an LDAP directory. This allows central administration with several [[#Advantages|advantages]].


RFC2307 attributes are by default in place in a Samba Active Directory. You just have to configure Samba to use them instead of local ID mapping.






== What are NIS Extensions? ==
== RFC2307 on AD Domain Controllers ==


It is recommended to only have the sysvol and netlogon shares on an AD DC, so using RFC2307 id-mappings on the DC is not required. If you want to enable RFC2307 ID mappings on the DC for whatever reason e.g. you have other shares on the DC (not recommended) and are using the winbind 'ad' backend on Unix domain members, you need to ensure that the <code>idmap_ldb:use rfc2307</code> parameter exists in the <code>[global]</code> section of your <code>smb.conf</code> file on the Samba DC and is set to <code>yes</code> :
With a simple schema extension for NIS (Network Information System), additional information can be managed in Active Directory. This allows you e. g. to easily manage users/groups using the Windows tools like ADUC, without manual counting UIDs/GIDs.


idmap_ldb:use rfc2307 = yes


{{Imbox
| type = note
| text = It is not recommended to use RFC2307 mappings on Samba AD DC's. The default idmap.ldb mechanism is fine for domain controllers and less error prone.
}}


== Server information used in this HowTo ==


Inside this HowTo, we will be using the following configuration/settings:


Netbios Name: DC1
LDAP Domain DN: DC=samdom,DC=example,DC=com
DC Name: DC1.samdom.example.com
Netbios/NIS Domain: samdom
Installation Directory: /usr/local/samba/




== Verifying That the NIS Extensions Are Installed in Active Directory ==


Verify if the <code>ypServ30</code> LDAP tree exists in your Active Directory (AD):


# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b \
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn


The output should be:
= Advantages =


# record 1
RFC2307 and the installed NIS Extensions in your Samba Active Directory will not cause any problem or harm, even if you don't need to use them (yet). Enabling this feature, provides a bunch of advantages:
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com

cn: ypservers
* Central administration of users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) directly in Active Directory.

* Consistent user and group information across multiple machines.

* Individual settings for users (e. g. for Login Shell). Other mapping technologies typically use global template settings for all accounts on a host.
:'''Note''': Samba AD DCs, do not fetch login shell and home, they only fetch UID & GID.

* Central management stops the necessity for local ID mapping that can cause incorrect file ownership, if the local database corrupts.

* Easy user/group management via the default Microsoft tools (e. g. Active Directory Users and Computers), which are part of [[Installing_RSAT_on_Windows_for_AD_Management|RSAT]].

* No need for manual ID counting when using the default Microsoft tools. E. g. the next free UID and GID is stored directly in Active Directory and will be incremented when creating a new user or group.

* No disadvantages if enabled and not used. ;-)

= Possible problems, when RFC2307 is not used =

If you don't use the advantages of a central managed account/group database, then it is handled by each server itself, through [[Winbind|Winbind]], [[Local_user_management_and_authentication/nslcd|nslcd]] or [[Local_user_management_and_authentication/sssd|sssd]]. One result is that users have different UIDs on each [[Setup_a_Samba_AD_Member_Server|Member Server]]. Example:

On Member Server 1:
# returned 1 records
# getent passwd demo1
# 1 entries
SAMDOM\demo1:*:<u>3000022</u>:100:demo1:/home/SAMDOM/demo1:/bin/false
# 0 referrals


If the <code>ldbsearch</code> command returns 1 record, the NIS Extensions are installed and there is nothing else to do.
On Member Server 2
# getent passwd demo1
SAMDOM\demo1:*:<u>3000019</u>:100:demo1:/home/SAMDOM/demo1:/bin/false


{{Imbox
As long as the server is only accessed through Samba, this won't be a problem. However if you e. g. directly copy files between the servers on the filesystem level, the same account will not be able to access the files any more, because it will have a different UID on the destination server. If some other account owns the UID on the destination, they will be able to access the files!
| type = note
| text = The NIS Extensions are only required if you are going to use the ADUC Unix Attributes tabs to manage your users and groups.
}}


== Provisioning a New Samba Active Directory with RFC2307 Enabled ==


When you provision a new Samba AD forest, pass the <code>--use-rfc2307</code> to the <code>samba-tool domain provision</code> command to auto-install the NIS extensions. For example:


# samba-tool domain provision --use-rfc2307 ...


For details, see [[Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Provisioning_a_Samba_Active_Directory|Provisioning a Samba Active Directory]].


Additionally, enable the the Samba RFC2307 module. For details, see [[#Enabling_the_RFC2307_Configuration_Parameter|Enabling the RFC2307 Configuration Parameter]].
= Check if RFC2307 is used by your Domain Controllers =


Check if your smb.conf <u>on all your Domain Controllers</u> contain the following parameter in the „[global]“ section:


idmap_ldb:use rfc2307 = yes


== Installing the RFC2307 NIS Extensions after AD DC Provisioning ==


Do not run this procedure until you have checked if it is required. For details, see [[#Verifying_That_the_NIS_Extensions_Are_Installed_in_Active_Directory|Verifying_That_the_NIS_Extensions_Are_Installed_in_Active_Directory]].




{{Imbox
| type = warning
| text = Updating the Schema can break your AD. Verify you have a working backup before updating the schema.
}}


To install the NIS extensions:
= Check if NIS Extensions are installed in your Directory =


* Locate the domain controller (DC) with the <code>Schema Master</code> flexible single-master operations (FSMO) role:
Check if the „ypServ30“ container exists in your directory:

# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com





= Configuring RFC2307 and NIS Extensions in a Samba AD =

== During provisioning your first Domain Controller ==

* Provision your domain with the „--use-rfc2307“ parameter:

# samba-tool domain provision --use-rfc2307 .....

:This automatically enables RFC2307 and installs the NIS Extensions.



== On additional joined Domain Controllers ==

This requires, that [[#Check_if_RFC2307_is_used_by_your_Domain_Controllers|your existing Domain Controllers are already using RFC2307]]!

* Add the following to the „[global]“ section of your smb.conf, after you've joined the domain as a Domain Controller:

idmap_ldb:use rfc2307 = yes

* Restart Samba

As mentioned in [[#Advantages|Advantages]], login shell and homedir aren't fetched even if when using rfc2307. You may customize their template using <tt>template shell</tt> and <tt>template login</tt> configuration options in <tt>smb.conf</tt>. Beware that [https://git.samba.org/?p=samba.git;a=commitdiff;h=57228317fc2339b83cccf4b1f3515d8a3b435a3c before samba 4.2], you've to use <tt>%ACCOUNTNAME%</tt> and <tt>%WORKGROUP%</tt> instead of <tt>%U</tt> and <tt>%D</tt> placeholders.



== Extending the Schema for NIS Extensions ==

'''This procedure [[Samba_AD_Schema_Extenstions|extends your directory schema]]. This will effect your complete Active Directory Forest! Make sure, that you have a restorable [[Backup_and_Recovery|backup]] of your AD, for the case that anything fails or breaks your installation!'''

* If you have multiple Domain Controllers, locate the one owning the „Schema Master“ [[Flexible_Single-Master_Operations_(FSMO)_roles|role]] in your forest:


# samba-tool fsmo show | grep SchemaMasterRole
# samba-tool fsmo show | grep SchemaMasterRole
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com


:This indicates, that „DC1“ is currently Schema Master in your forest. Continue with the next steps on this host.
: The output shows the name of the DC owning this role. Run all further steps on this DC.


* Shutdown Samba.
* Shut down the Samba service.


* Create a copy of „ypServ30.ldif“:
* Create a copy of the <code>ypServ30.ldif</code> schema file. For example:


# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/


* Replace the variables in the LDIF file (adapt the values to your environment!):
* Replace the variables in copied LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain of your setup. For example:
:*${DOMAINDN}: <code>DC=samdom,DC=example,DC=com</code>
:*${NETBIOSNAME}: <code>DC1</code>
:*${NISDOMAIN}: <code>samdom</code>


# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
# sed -i -e 's/\${DOMAINDN}/<u>DC=samdom,DC=example,DC=com</u>/g' \
-e 's/${NETBIOSNAME}/DC1/g' \
-e 's/\${NETBIOSNAME}/<u>DC1</u>/g' \
-e 's/${NISDOMAIN}/samdom/g' \
-e 's/\${NISDOMAIN}/<u>samdom</u>/g' \
/tmp/ypServ30.ldif
/tmp/ypServ30.ldif


* Import the modified LDIF file to the local <code>/usr/local/samba/private/sam.ldb</code> Samba AD database:
* Import the schema


# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
Modified 55 records successfully
Modified 55 records successfully


* Start Samba.
* Start the Samba service.

* The directory replication pushes the new schema automatically to all Domain Controllers inside your forest.





= Administer Unix Attributes in Active Directory =

'''The actions described in this section require to have the [[#Configuring_RFC2307_and_NIS_Extensions_in_a_Samba_AD|NIS Extensions]] enabled. Additionally, the Windows [[Installing_RSAT_on_Windows_for_AD_Management|Remote Server Administration Tools (RSAT)]] have to be installed. See the [[Installing_RSAT_on_Windows_for_AD_Management#Installation|RSAT installation section]], for installing all recommended modules. At least the functions <u>"AD DS Tools" and "Server for NIS Tools"</u> are required for the following steps!'''





== Using ADUC to set Unix Attributes on a user account ==

* Open ADUC.

* Right-click to a user account and choose properties.

* Navigate to the „UNIX Attributes“ tab.
:''Note: If you don't see this tab, you haven't installed the [[Installing_RSAT_on_Windows_for_AD_Management#Installation|RSAT function "Server for NIS Tools"]].''

* When choosing the „NIS Domain“, the other fields are getting enabled. Fill the values as required.
:''Hint: As primary group you can only choose [[#Using_ADUC_to_set_Unix_Attributes_on_groups|groups, that have Unix attributes defined]]!''

:[[Image:ADUC_Unix_Attributes_User.png]]

* Click „OK“ to save your changes.



== Using ADUC to set Unix Attributes on groups ==

* Open ADUC.

* Right-click to a group and choose properties.

* Navigate to the „UNIX Attributes“ tab.
:''Note: If the tab isn't visible, you haven't installed the [[Installing_RSAT_on_Windows_for_AD_Management#Installation|RSAT function "Server for NIS Tools"]].''

* The other fields are not enabled until the "NIS Domain" is chosen, fill the values as required.
:''Hint: It's not required to add users to the group in this tab! Winbind, sssd and nslcd retrieve the account membership from the Windows groups (see „Member Of“-tab).''

:[[Image:ADUC_Unix_Attributes_Groups.png]]

* Click „OK“ to save your changes.

== Defining the next UID/GID to use ==


The AD replicates the updated schema to all DCs in the forest.
Every time a UID/GID is assigned using Active Directory Users and Computers (ADUC), <u>the next</u> unused UID/GID is stored inside the Active Directory.


By default, Active Directory starts assigning UIDs & GIDs at 10000.


You can change the next UID/GID that will be assigned. E. g. if you require to start UIDs at 20000 and GID at 50000, change the values on a Domain Controller:


# ldbedit -H /usr/local/samba/private/sam.ldb -b CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com


Adapt the following two attributes to your needs and save the changes.


----
msSFU30MaxUidNumber: 20000
[[Category:Active Directory]]
msSFU30MaxGidNumber: 50000

Latest revision as of 15:17, 26 November 2023

Introduction

The use of RFC 2307 attributes allows the storage of Unix user and group information in an LDAP directory. In an Active Directory (AD) with Linux integration, this has several advantages:

  • Central administration of IDs in AD.
  • Consistent IDs on all Linux domain members that use the Samba idmap_ad ID map back end.
  • Fast configuration of attributes.
  • No local ID mapping databases that can corrupt and lead to lose of file ownerships.
  • Enable the administrator to set individual login shells and home directory paths for users.
  • Login shell and home directory settings are the same on all domain members using Samba idmap_ad ID map back end and winbind nss info = rfc2307 parameter.
  • Easy management from Windows clients using the Active Directory Users and Computers (ADUC) Microsoft management console (MMC). For details, see Maintaining Unix Attributes in AD using ADUC.



RFC2307 on AD Domain Controllers

It is recommended to only have the sysvol and netlogon shares on an AD DC, so using RFC2307 id-mappings on the DC is not required. If you want to enable RFC2307 ID mappings on the DC for whatever reason e.g. you have other shares on the DC (not recommended) and are using the winbind 'ad' backend on Unix domain members, you need to ensure that the idmap_ldb:use rfc2307 parameter exists in the [global] section of your smb.conf file on the Samba DC and is set to yes :

 idmap_ldb:use rfc2307 = yes



Verifying That the NIS Extensions Are Installed in Active Directory

Verify if the ypServ30 LDAP tree exists in your Active Directory (AD):

# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b \
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com cn

The output should be:

# record 1
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
cn: ypservers

# returned 1 records
# 1 entries
# 0 referrals

If the ldbsearch command returns 1 record, the NIS Extensions are installed and there is nothing else to do.

Provisioning a New Samba Active Directory with RFC2307 Enabled

When you provision a new Samba AD forest, pass the --use-rfc2307 to the samba-tool domain provision command to auto-install the NIS extensions. For example:

# samba-tool domain provision --use-rfc2307 ...

For details, see Provisioning a Samba Active Directory.

Additionally, enable the the Samba RFC2307 module. For details, see Enabling the RFC2307 Configuration Parameter.


Installing the RFC2307 NIS Extensions after AD DC Provisioning

Do not run this procedure until you have checked if it is required. For details, see Verifying_That_the_NIS_Extensions_Are_Installed_in_Active_Directory.


To install the NIS extensions:

  • Locate the domain controller (DC) with the Schema Master flexible single-master operations (FSMO) role:
# samba-tool fsmo show | grep SchemaMasterRole
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
The output shows the name of the DC owning this role. Run all further steps on this DC.
  • Shut down the Samba service.
  • Create a copy of the ypServ30.ldif schema file. For example:
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
  • Replace the variables in copied LDIF file with the domain distinguished name (DN), NetBIOS name, and the NIS domain of your setup. For example:
  • ${DOMAINDN}: DC=samdom,DC=example,DC=com
  • ${NETBIOSNAME}: DC1
  • ${NISDOMAIN}: samdom
# sed -i -e 's/\${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
         -e 's/\${NETBIOSNAME}/DC1/g' \
         -e 's/\${NISDOMAIN}/samdom/g' \
         /tmp/ypServ30.ldif
  • Import the modified LDIF file to the local /usr/local/samba/private/sam.ldb Samba AD database:
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true
Modified 55 records successfully
  • Start the Samba service.

The AD replicates the updated schema to all DCs in the forest.