Setting up RFC2307 in AD: Difference between revisions
Mmuehlfeld (talk | contribs) m (Fix link) |
Mmuehlfeld (talk | contribs) (Major rewrite/edit of the page. More details/examples) |
||
Line 1: | Line 1: | ||
= Introduction = |
|||
= Server information used in this HowTo = |
|||
[https://www.rfc-editor.org/rfc/rfc2307.txt RFC2307] defines the possibility to store user and group information in an LDAP directory. This brings several advantages in an Active Directory environment: |
|||
Inside this HowTo, we will be using the following configuration/settings: |
|||
* Central administration of IDs inside Active Directory |
|||
* Consistent IDs on all Domain Members that use idmap_ad |
|||
* Fast setting of attributes: Groups only need a GID assigned, new users UID, NIS domain, login shell, home directory and primary group |
|||
* Central management removes the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts |
|||
* Individual login shells and home directory paths for users |
|||
* Login shell and home directory settings are the same on all Domain Members using idmap_ad with winbind nss info = rfc2307 |
|||
* Easy [[Administer_Unix_Attributes_in_AD_via_ADUC|user/group management via Active Directory Users and Computers (ADUC)]], which is part of [[Installing RSAT|RSAT]] |
|||
'''See the [[Server_information_used_in_documentation|server information used in documentation]] page for paths used, hostnames, etc.''' |
|||
Netbios Name: DC1 |
|||
LDAP Domain DN: DC=samdom,DC=example,DC=com |
|||
DC Name: DC1.samdom.example.com |
|||
Netbios/NIS Domain: samdom |
|||
Installation Directory: /usr/local/samba/ |
|||
= Checks = |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
idmap_ldb:use rfc2307 = yes |
idmap_ldb:use rfc2307 = yes |
||
Line 21: | Line 24: | ||
⚫ | |||
Check if the "ypServ30" container exists in your directory. The following command shows all attributes of the container, it it exists |
|||
⚫ | |||
Check if the „ypServ30“ container exists in your directory: |
|||
# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com |
# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com |
||
# record 1 |
|||
dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com |
|||
objectClass: top |
|||
objectClass: container |
|||
cn: ypservers |
|||
instanceType: 4 |
|||
whenCreated: 20140902205150.0Z |
|||
whenChanged: 20140902205150.0Z |
|||
uSNCreated: 3766 |
|||
uSNChanged: 3766 |
|||
showInAdvancedViewOnly: TRUE |
|||
name: ypservers |
|||
objectGUID: 10ad9cf7-0d89-4ea7-bc92-f06cc43cb951 |
|||
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=samdom,DC=example,D |
|||
C=com |
|||
distinguishedName: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom |
|||
,DC=example,DC=com |
|||
⚫ | |||
# returned 1 records |
|||
# 1 entries |
|||
# 0 referrals |
|||
Line 33: | Line 55: | ||
= |
= Setup RFC2307 and NIS Extensions in a Samba AD = |
||
== During provisioning |
== During provisioning the first Domain Controller == |
||
Provision your domain with the "--use-rfc2307" parameter, to enable RFC2307 and install the NIS extensions. |
|||
# samba-tool domain provision --use-rfc2307 |
# samba-tool domain provision --use-rfc2307 ... |
||
:This automatically enables RFC2307 and installs the NIS Extensions. |
|||
== On an already running AD == |
|||
=== Enable RFC2307 === |
|||
== On additional joined Domain Controllers == |
|||
⚫ | |||
This requires, that [[#Check_if_RFC2307_is_used_by_your_Domain_Controllers|your existing Domain Controllers are already using RFC2307]]! |
|||
⚫ | |||
idmap_ldb:use rfc2307 = yes |
idmap_ldb:use rfc2307 = yes |
||
Line 55: | Line 75: | ||
* Restart Samba |
* Restart Samba |
||
As mentioned in [[Idmap_config_ad|idmap config ad]], login shell and homedir are not fetched even if rfc2307 is used. You may customize these by using the <tt>template shell</tt> and <tt>template login</tt> configuration options in <tt>smb.conf</tt>. Beware that [https://git.samba.org/?p=samba.git;a=commitdiff;h=57228317fc2339b83cccf4b1f3515d8a3b435a3c before samba 4.2], you have to use <tt>%ACCOUNTNAME%</tt> and <tt>%WORKGROUP%</tt> instead of <tt>%U</tt> and <tt>%D</tt> placeholders. |
|||
=== Installing NIS extensions === |
|||
⚫ | |||
== Extending the Schema for NIS Extensions == |
|||
⚫ | |||
⚫ | |||
⚫ | |||
# samba-tool fsmo show | grep SchemaMasterRole |
# samba-tool fsmo show | grep SchemaMasterRole |
||
⚫ | |||
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com |
SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com |
||
:This indicates, that |
:This indicates, that "DC1" is currently owing the Schema Master role in your forest. Continue with the next steps on this host. |
||
* Shutdown Samba |
* Shutdown Samba |
||
* Create a copy of |
* Create a copy of "ypServ30.ldif": |
||
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/ |
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/ |
||
* Replace the variables in the LDIF file |
* Replace the variables in the LDIF file with the ones of your directory/domain: |
||
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \ |
# sed -i -e 's/${DOMAINDN}/<u>DC=samdom,DC=example,DC=com</u>/g' \ |
||
-e 's/${NETBIOSNAME}/DC1/g' \ |
-e 's/${NETBIOSNAME}/<u>DC1</u>/g' \ |
||
-e 's/${NISDOMAIN}/samdom/g' \ |
-e 's/${NISDOMAIN}/<u>samdom</u>/g' \ |
||
/tmp/ypServ30.ldif |
/tmp/ypServ30.ldif |
||
Line 87: | Line 104: | ||
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true |
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true |
||
Modified 55 records successfully |
Modified 55 records successfully |
||
* Start Samba |
* Start Samba |
||
* The directory replication pushes the new schema automatically to all Domain Controllers inside |
* The directory replication pushes the new schema automatically to all Domain Controllers inside the forest |
Revision as of 17:05, 31 October 2015
Introduction
RFC2307 defines the possibility to store user and group information in an LDAP directory. This brings several advantages in an Active Directory environment:
- Central administration of IDs inside Active Directory
- Consistent IDs on all Domain Members that use idmap_ad
- Fast setting of attributes: Groups only need a GID assigned, new users UID, NIS domain, login shell, home directory and primary group
- Central management removes the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts
- Individual login shells and home directory paths for users
- Login shell and home directory settings are the same on all Domain Members using idmap_ad with winbind nss info = rfc2307
- Easy user/group management via Active Directory Users and Computers (ADUC), which is part of RSAT
See the server information used in documentation page for paths used, hostnames, etc.
Checks
RFC2307 enabled on all Domain Controllers
Check if on all Domain Controllers, the following parameter exists and is set to "yes" in the [global] section of your smb.conf:
idmap_ldb:use rfc2307 = yes
NIS Extensions installed inside the directory
Check if the "ypServ30" container exists in your directory. The following command shows all attributes of the container, it it exists
# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com # record 1 dn: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com objectClass: top objectClass: container cn: ypservers instanceType: 4 whenCreated: 20140902205150.0Z whenChanged: 20140902205150.0Z uSNCreated: 3766 uSNChanged: 3766 showInAdvancedViewOnly: TRUE name: ypservers objectGUID: 10ad9cf7-0d89-4ea7-bc92-f06cc43cb951 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=samdom,DC=example,D C=com distinguishedName: CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom ,DC=example,DC=com # returned 1 records # 1 entries # 0 referrals
Setup RFC2307 and NIS Extensions in a Samba AD
During provisioning the first Domain Controller
Provision your domain with the "--use-rfc2307" parameter, to enable RFC2307 and install the NIS extensions.
# samba-tool domain provision --use-rfc2307 ...
On an already running AD
Enable RFC2307
- Add the following to the [global] section of your smb.conf:
idmap_ldb:use rfc2307 = yes
- Restart Samba
Installing NIS extensions
This procedure extends your directory schema! This will effect your complete Active Directory Forest. Make sure that you have a recoverable backup of your AD, in case anything fails or breaks your installation!
- If running multiple Domain Controllers in your AD forest, locate the Schema Master:
# samba-tool fsmo show | grep SchemaMasterRole SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
- This indicates, that "DC1" is currently owing the Schema Master role in your forest. Continue with the next steps on this host.
- Shutdown Samba
- Create a copy of "ypServ30.ldif":
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
- Replace the variables in the LDIF file with the ones of your directory/domain:
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \ -e 's/${NETBIOSNAME}/DC1/g' \ -e 's/${NISDOMAIN}/samdom/g' \ /tmp/ypServ30.ldif
- Import the schema:
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true Modified 55 records successfully
- Start Samba
- The directory replication pushes the new schema automatically to all Domain Controllers inside the forest