Setting up RFC2307 in AD

From SambaWiki
Revision as of 16:27, 18 May 2014 by Mmuehlfeld (talk | contribs) (Initial version of a HowTo about RFC2307 in a Samba AD)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


What is RFC2307?

RFC2307 defines the possibility to store e. g. user and group information in a LDAP directory. This allows central administration with several advantages.

Server information used in this HowTo

Inside this HowTo, we will be using the following configuration/settings:

Domain Controller Name: DC1
Installation Directory: /usr/local/samba/
LDAP Domain DN:         DC=samdom,DC=example,DC=com
Netbios Name:           samdom
NIS Domain:             samdom


Enabling RFC2307 in your Samba Active Directory doesn't cause any problems or harm, even if you don't require to use it (yet). But enabling this feature, provides a bunch of advantages:

  • Central administration of users (UID, Login Shell, Home Directory, Primary Group) and groups (GID) directly in Active Directory.
  • Consistent user and group information accross multiple machines.
  • Individual settings for users (e. g. for Login Shell). Other mapping technologies typically use global template settings for all accounts on a host.
  • Central management prevents the necessity for local ID mappings, that may cause loosing file ownership if the local database corrupts.
  • Easy user/group management via the default Microsoft tools (e. g. Active Directory Users and Computers), which are part of RSAT.
  • No need for manual ID counting, when using the default Microsoft tools. E. g. the next free UID and GID is stored directly in Active Directory and will be incremented then creating a new user or group.
  • No disadvantages if enabled and not used. ;-)

Possible problems, when RFC2307 is not used

If you don't use the advantages of a central managed account/group database, then it is handled by each server itself, through Winbind, nslcd or sssd. One result is, that users have different UIDs on each Member Server. Example:

On Member Server 1:

# getent passwd demo1
On Member Server 2

# getent passwd demo1

As long as the server is only accessed through Samba, this won't be a problem. But if you e. g. directly copy files between the servers on filesystem level, the same account can't access the files any more, because it has a different UID on the destination server. Instead maybe some other account can access the files, if it owns the UID on the destination!

Check if RFC2307 is enabled in your Active Directory

If you have a working Samba Active Directory, you can check the following, to find out, if RFC2307 is already enabled:

  • Check if the „ypServ30“ container exists in your directory:
# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
  • Check if your smb.conf on all your Domain Controllers contain the following parameter in the „[global]“ section:
 idmap_ldb:use rfc2307 = yes

Configuring RFC2307 in a Samba AD

During provisioning your first Domain Controller

  • Provision your domain with the „--use-rfc2307“ parameter:
# samba-tool domain provision --use-rfc2307 .....

On additional joined Domain Controllers

This requires, that RFC2307 is already enabled in your Active Directory!

  • Add the following to the „[global]“ section of your smb.conf after you've joined the domain as a Domain Controller:
 idmap_ldb:use rfc2307 = yes
  • Restart Samba

For an existing Active Directory

This procedure requires a schema extension. This will effect your complete Active Directory Forest! Make sure, that you have a restorable backup of your AD, for the case that anything fails or breaks your installation!

  • If you have multiple Domain Controllers, locate the one owning the „Schema Master“ role in your forest:
# samba-tool fsmo show | grep SchemaMasterRole

SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com
This indicates, that „DC1“ is currently Schema Master in your forest. Continue with the next steps on this host.
  • Shutdown Samba.
  • Create a copy of „ypServ30.ldif“:
# cp /usr/local/samba/share/setup/ypServ30.ldif /tmp/
  • Replace the variables in the LDIF file (adapt the values to your environment!):
# sed -i -e 's/${DOMAINDN}/DC=samdom,DC=example,DC=com/g' \
         -e 's/${NETBIOSNAME}/samdom/g' \
         -e 's/${NISDOMAIN}/samdom/g' \
  • Import the schema
# ldbmodify -H /usr/local/samba/private/sam.ldb /tmp/ypServ30.ldif --option="dsdb:schema update allowed"=true

Modified 55 records successfully
  • Start Samba.
  • The directory replication pushes the new schema automatically to all Domain Controllers inside your forest.

Administer Unix Attributes in Active Directory

Using ADUC to set Unix Attributes on a user account

  • Open ADUC.
  • Right-click to a user account and choose properties.
  • Navigate to the „UNIX Attributes“ tab.
  • When choosing the „NIS Domain“, the other fields are getting enabled. Fill the values as required.
Hint: As primary group you can only choose groups, that have Unix attributes definied!
File:ADUC Unix Attributes User.png
  • Click „OK“ to save your changes.

Using ADUC to set Unix Attributes on groups

  • Open ADUC.
  • Right-click to a group and choose properties.
  • Navigate to the „UNIX Attributes“ tab.
  • When choosing the „NIS Domain“, the other fields are getting enabled. Fill the values as required.
Hint: It's not required to add users to the group in this tab! Winbind, sssd and nslcd retrieve the account membership from the Windows groups (see „Member Of“-tab).
File:ADUC Unix Attributes Groups.png
  • Click „OK“ to save your changes.

Defining the next UID/GID to use

Everytime a UID/GID is assigned, Active Directory Users and Computers (ADUC) stores the next unused UID/GID inside the Active Directory.

Per default Active Directory starts assigning UIDs/GIDs both at 10000.

You can change the next UID/GID that will be assigned. E. g. if you require to start UIDs at 20000 and GID at 50000, change the values on a Domain Controller:

# ldbedit -H /usr/local/samba/private/sam.ldb -b CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com

Adapt the following two attributes to your needs and save the changes.

msSFU30MaxUidNumber: 20000
msSFU30MaxGidNumber: 50000