Setting up RFC2307 in AD

From SambaWiki

Introduction

What is RFC2307?

RFC2307 defines the possibility to store e. g. user and group information in an LDAP directory. This allows central administration with several advantages.

RFC2307 attributes are by default in place in a Samba Active Directory. You just have to configure Samba to use them instead of local ID mapping.


What are NIS Extensions?

With a simple schema extension for NIS (Network Information System), additional information can be managed in Active Directory. This allows you e. g. to easily manage users/groups using the Windows tools like ADUC, without manual counting UIDs/GIDs.


Server information used in this HowTo

Inside this HowTo, we will be using the following configuration/settings:

Netbios Name:           DC1
LDAP Domain DN:         DC=samdom,DC=example,DC=com
DC Name:                DC1.samdom.example.com
Netbios/NIS Domain:     samdom
Installation Directory: /usr/local/samba/



Advantages

RFC2307 and the installed NIS Extensions in your Samba Active Directory will not cause any problem or harm, even if you don't need to use them (yet). Enabling this feature, provides a bunch of advantages:

  • Central administration of users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) directly in Active Directory.
  • Consistent user and group information across multiple machines.
  • Individual settings for users (e. g. for Login Shell). Other mapping technologies typically use global template settings for all accounts on a host. Note: currently (4.1.13), Samba servers with AD DC role don't use the standard winbindd daemon. This causes winbind & nss-winbind to only fetch UID & GID, not login shell and home. Samba 4.2 may give the possibility to use the standard winbindd, circumventing this drawback.
  • Central management stops the necessity for local ID mapping that can cause incorrect file ownership, if the local database corrupts.
  • Easy user/group management via the default Microsoft tools (e. g. Active Directory Users and Computers), which are part of RSAT.
  • No need for manual ID counting when using the default Microsoft tools. E. g. the next free UID and GID is stored directly in Active Directory and will be incremented when creating a new user or group.
  • No disadvantages if enabled and not used. ;-)



Possible problems, when RFC2307 is not used

If you don't use the advantages of a central managed account/group database, then it is handled by each server itself, through Winbind, nslcd or sssd. One result is that users have different UIDs on each Member Server. Example:

On Member Server 1:

# getent passwd demo1
SAMDOM\demo1:*:3000022:100:demo1:/home/SAMDOM/demo1:/bin/false
On Member Server 2

# getent passwd demo1
SAMDOM\demo1:*:3000019:100:demo1:/home/SAMDOM/demo1:/bin/false

As long as the server is only accessed through Samba, this won't be a problem. However if you e. g. directly copy files between the servers on the filesystem level, the same account will not be able to access the files any more, because it will have a different UID on the destination server. If some other account owns the UID on the destination, they will be able to access the files!



Check if RFC2307 is used by your Domain Controllers

Check if your smb.conf on all your Domain Controllers contain the following parameter in the „[global]“ section:

 idmap_ldb:use rfc2307 = yes



Check if NIS Extensions are installed in your Directory

Check if the „ypServ30“ container exists in your directory:

# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com



Configuring RFC2307 and NIS Extensions in a Samba AD

During provisioning your first Domain Controller

  • Provision your domain with the „--use-rfc2307“ parameter:
# samba-tool domain provision --use-rfc2307 .....
This automatically enables RFC2307 and installs the NIS Extensions.


On additional joined Domain Controllers

This requires, that your existing Domain Controllers are already using RFC2307!

  • Add the following to the „[global]“ section of your smb.conf, after you've joined the domain as a Domain Controller:
 idmap_ldb:use rfc2307 = yes
  • Restart Samba

As mentioned in Advantages, login shell and homedir aren't fetched even if when using rfc2307. You may customize their template using template shell and template login configuration options in smb.conf. Beware that before samba 4.2, you've to use %ACCOUNTNAME% and %WORKGROUP% instead of %U and %D placeholders.


Extending the Schema for NIS Extensions

This procedure extends your directory schema. This will effect your complete Active Directory Forest! Make sure, that you have a restorable backup of your AD, for the case that anything fails or breaks your installation!

  • If you have multiple Domain Controllers, locate the one owning the „Schema Master“ role in your forest:
# samba-tool fsmo show | grep SchemaMasterRole

SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
This indicates, that „DC1“ is currently Schema Master in your forest. Continue with the next steps on this host.
  • Shutdown Samba.
  • Create a copy of „ypServ30.ldif“:
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
  • Replace the variables in the LDIF file (adapt the values to your environment!):
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
         -e 's/${NETBIOSNAME}/DC1/g' \
         -e 's/${NISDOMAIN}/samdom/g' \
         /tmp/ypServ30.ldif
  • Import the schema
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true

Modified 55 records successfully
  • Start Samba.
  • The directory replication pushes the new schema automatically to all Domain Controllers inside your forest.



Administer Unix Attributes in Active Directory

The actions described in this section requires to have the NIS Extensions installed!


Enabling the "UNIX Attributes" tab in the properties sheet for a user or group

In order for the "UNIX Attributes" tab to be displayed in Active Directory Users and Computers (ADUC), "Server for NIS Tools" must be enabled in the Windows machine running ADUC. Go to Control Panel > Programs and Features > Turn Windows features on and off, and select the corresponding box.

Windows7Features.png

Using ADUC to set Unix Attributes on a user account

  • Open ADUC.
  • Right-click to a user account and choose properties.
  • Navigate to the „UNIX Attributes“ tab.
  • When choosing the „NIS Domain“, the other fields are getting enabled. Fill the values as required.
Hint: As primary group you can only choose groups, that have Unix attributes defined!
File:ADUC Unix Attributes User.png
  • Click „OK“ to save your changes.


Using ADUC to set Unix Attributes on groups

  • Open ADUC.
  • Right-click to a group and choose properties.
  • Navigate to the „UNIX Attributes“ tab.
  • When choosing the „NIS Domain“, the other fields are getting enabled. Fill the values as required.
Hint: It's not required to add users to the group in this tab! Winbind, sssd and nslcd retrieve the account membership from the Windows groups (see „Member Of“-tab).
File:ADUC Unix Attributes Groups.png
  • Click „OK“ to save your changes.


Defining the next UID/GID to use

Everytime a UID/GID is assigned, Active Directory Users and Computers (ADUC) stores the next unused UID/GID inside the Active Directory.

Per default Active Directory starts assigning UIDs/GIDs both at 10000.

You can change the next UID/GID that will be assigned. E. g. if you require to start UIDs at 20000 and GID at 50000, change the values on a Domain Controller:

# ldbedit -H /usr/local/samba/private/sam.ldb -b CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com

Adapt the following two attributes to your needs and save the changes.

msSFU30MaxUidNumber: 20000
msSFU30MaxGidNumber: 50000