Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

danicat
Hi list,
is there a way to enable idmap_ldb:use rfc2307 if I already have 2
working AD DCs in my domain?

Should I just add the line on smb.conf and restart samba on the DCs?

I've also read that nss should be configured for winbind: does this mean
that I have to modify /etc/nsswitch.conf? If yes, could someone point me
in what and how to change it?

Thanks in advance,
Daniele.

Reply | Threaded
Open this post in threaded view
|

Re: Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

danicat
Hi list,

On Thu, 2012-09-20 at 12:01 +0200, Daniele Dario wrote:

> Hi list,
> is there a way to enable idmap_ldb:use rfc2307 if I already have 2
> working AD DCs in my domain?
>
> Should I just add the line on smb.conf and restart samba on the DCs?
>
> I've also read that nss should be configured for winbind: does this mean
> that I have to modify /etc/nsswitch.conf? If yes, could someone point me
> in what and how to change it?
>
> Thanks in advance,
> Daniele.
>

I backed up var etc private and updated samba to rc1 on both DCs than I
added idmap_ldb:use rfc2307 = Yes to smb.conf.

I run samba-tool dbcheck --cross-ncs and no errors where found so I
started samba (I did this once per DC).

As per samba4/winbind howto at
http://wiki.samba.org/index.php/Samba4/Winbind I added the links for
libnss_winbind.so and libnss_winbind.so.2 in /lib and
modified /etc/nsswitch.conf and now id username shows the correct
information about the given username.

Now if I create a new user it's UID is the same on both DCs but the
problem is that the UIDs and GIDs of the previously created users/groups
are not the same on the 2 DCs I guess because they were created without
specifying idmap_ldb:use rfc2307 = Yes in smb.conf.

Does anyone know if it is possible to fix this?

If I demote the "secondary" DC and than re-join it would it apply the
rfc2307 statement?
Should I do it in two ways (demote secondary and rejoin it and than
demote primary and rejoin it)?

Thanks in advance,
Daniele.


Reply | Threaded
Open this post in threaded view
|

Re: Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

danicat
Hi list,
after I create a new user on the domain I've seen that also the old
users UIDs and group GIDs become the same on both DCs.

Enabling rfc2307 works (at leas for me).

Cheers,
Daniele.

On Fri, 2012-09-21 at 10:10 +0200, Daniele Dario wrote:

> Hi list,
>
> On Thu, 2012-09-20 at 12:01 +0200, Daniele Dario wrote:
> > Hi list,
> > is there a way to enable idmap_ldb:use rfc2307 if I already have 2
> > working AD DCs in my domain?
> >
> > Should I just add the line on smb.conf and restart samba on the DCs?
> >
> > I've also read that nss should be configured for winbind: does this mean
> > that I have to modify /etc/nsswitch.conf? If yes, could someone point me
> > in what and how to change it?
> >
> > Thanks in advance,
> > Daniele.
> >
>
> I backed up var etc private and updated samba to rc1 on both DCs than I
> added idmap_ldb:use rfc2307 = Yes to smb.conf.
>
> I run samba-tool dbcheck --cross-ncs and no errors where found so I
> started samba (I did this once per DC).
>
> As per samba4/winbind howto at
> http://wiki.samba.org/index.php/Samba4/Winbind I added the links for
> libnss_winbind.so and libnss_winbind.so.2 in /lib and
> modified /etc/nsswitch.conf and now id username shows the correct
> information about the given username.
>
> Now if I create a new user it's UID is the same on both DCs but the
> problem is that the UIDs and GIDs of the previously created users/groups
> are not the same on the 2 DCs I guess because they were created without
> specifying idmap_ldb:use rfc2307 = Yes in smb.conf.
>
> Does anyone know if it is possible to fix this?
>
> If I demote the "secondary" DC and than re-join it would it apply the
> rfc2307 statement?
> Should I do it in two ways (demote secondary and rejoin it and than
> demote primary and rejoin it)?
>
> Thanks in advance,
> Daniele.
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

steve-2
In reply to this post by danicat
On 21/09/12 10:10, Daniele Dario wrote:

>
> Now if I create a new user it's UID is the same on both DCs but the
> problem is that the UIDs and GIDs of the previously created users/groups
> are not the same on the 2 DCs I guess because they were created without
> specifying idmap_ldb:use rfc2307 = Yes in smb.conf.
>
> Does anyone know if it is possible to fix this?

Hi
As we understand it:

idmap_ldb:use rfc2307 = yes

Means that uidNumber and gidNumber are pulled from the directory as
opposed to idmap.ldb.
For users, we added:
objectClass: posixAccount
uidNumber: abc
gidNumber: xyz

and for groups:
objectClass: posixGroup
gidNumber: xyz

I think that your old users and groups will lack these entries and so
samba will fall back to idmap to get the information for uidNumber and
gidNumber.

HTH
Steve



Reply | Threaded
Open this post in threaded view
|

Re: Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

danicat
Hi steve,

On Fri, 2012-09-21 at 17:10 +0200, steve wrote:

> On 21/09/12 10:10, Daniele Dario wrote:
>
> >
> > Now if I create a new user it's UID is the same on both DCs but the
> > problem is that the UIDs and GIDs of the previously created users/groups
> > are not the same on the 2 DCs I guess because they were created without
> > specifying idmap_ldb:use rfc2307 = Yes in smb.conf.
> >
> > Does anyone know if it is possible to fix this?
>
> Hi
> As we understand it:
>
> idmap_ldb:use rfc2307 = yes
>
> Means that uidNumber and gidNumber are pulled from the directory as
> opposed to idmap.ldb.
> For users, we added:
> objectClass: posixAccount
> uidNumber: abc
> gidNumber: xyz
>
> and for groups:
> objectClass: posixGroup
> gidNumber: xyz
>
> I think that your old users and groups will lack these entries and so
> samba will fall back to idmap to get the information for uidNumber and
> gidNumber.
>
> HTH
> Steve
>
>
>

thanks for sharing this. Can you please clarify what you mean with "we
added: objectClass: posixAccount ...".

After I added the rfc2307 = yes option to both DCs and restarted them I
added a new user and after that it seemed that all users UIDs to be the
same between the DCs but after a new restart of samba I've seen that it
does not work so I'm wondering if I have to re-provision and re-join to
get it working.

Thanks,
Daniele.

Reply | Threaded
Open this post in threaded view
|

Re: Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

steve-2
On 24/09/12 12:28, Daniele Dario wrote:
> Hi steve,
>
> On Fri, 2012-09-21 at 17:10 +0200, steve wrote:
>> On 21/09/12 10:10, Daniele Dario wrote:

>>
>>
>>
>
> thanks for sharing this. Can you please clarify what you mean with "we
> added: objectClass: posixAccount ...".

Hi Daniele
idmap_ldb:use rfc2307 = yes
implies that you wish to obtain uidNumber and gidNumber from the
directory rather than the external idmap.ldb database.

The schema dictates that to have uidNumber and gidNumber attributes then
we must also have an objectClass which supply those attributes.

Here is a user called steve2 who meets these conditions (for our base DN
where: DC=hh3,DC=site):

dn: CN=steve2,CN=Users,DC=hh3,DC=site
cn: steve2
instanceType: 4
whenCreated: 20120828151721.0Z
uSNCreated: 3733
name: steve2
objectGUID: 93cdeea8-f899-448e-9b09-7b67023aadd9
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-699126639-3096025544-1681200688-1108
logonCount: 0
sAMAccountName: steve2
sAMAccountType: 805306368
userPrincipalName: [hidden email]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 129906406410000000
gidNumber: 20513
homeDirectory: \\hh1\home\steve2
homeDrive: Z:
loginShell: /bin/bash
profilePath: \\hh1\profiles\steve2
uidNumber: 3000007
unixHomeDirectory: /home2/home/steve2
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
userAccountControl: 66048
accountExpires: 0
whenChanged: 20120829085046.0Z
uSNChanged: 3769
distinguishedName: CN=steve2,CN=Users,DC=hh3,DC=site

Here is the group Domain Users which meets the same condition:

dn: CN=Domain Users,CN=Users,DC=hh3,DC=site
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20120828143745.0Z
uSNCreated: 3540
name: Domain Users
objectGUID: 87da3fa5-f07c-4a4c-b501-154a53110a1b
objectSid: S-1-5-21-699126639-3096025544-1681200688-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site
gidNumber: 20513
whenChanged: 20120828152046.0Z
objectClass: top
objectClass: posixGroup
objectClass: group
uSNChanged: 3739
distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site

I do not think that your existing users and groups will have these
entries and unless you add them when you create a new user or group,
these will lack the LDAP entries too.

The method to add the classes you are missing is documented here:
http://linuxcostablanca.blogspot.com.es/p/s4bind.html

HTH
Cheers,
Steve

Reply | Threaded
Open this post in threaded view
|

Re: Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

danicat
Hi steve and samba list,
I'm re-provisioning the domain and I will use the "rfc2307" option.

I provisioned with
samba-tool domain provision --realm=saitel.loc --domain=SAITEL
--adminpass=xxxxxx --server-role=dc --use-xattrs=yes --use-rfc2307

Now I created a new user and tryied to see if (as steve pointed) the
objectClass: posixAccount statement is present for that user.

To get this I used
ldbsearch -H sam.ldb -b "DC=saitel,DC=loc" "(sAMAccountName=theuser)"
but I can see only the following objectClass statements:

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user

Is it correct or am I missing something?

If I join another DC to the domain and in it's smb.conf I add the
idmap_ldb:use rfc2307 = Yes statement would it pull the UID from the AD?
Would the UIDs be the same on both DCs?

Thanks,
Daniele.

On Mon, 2012-09-24 at 14:43 +0200, steve wrote:

> On 24/09/12 12:28, Daniele Dario wrote:
> > Hi steve,
> >
> > On Fri, 2012-09-21 at 17:10 +0200, steve wrote:
> >> On 21/09/12 10:10, Daniele Dario wrote:
>
> >>
> >>
> >>
> >
> > thanks for sharing this. Can you please clarify what you mean with "we
> > added: objectClass: posixAccount ...".
>
> Hi Daniele
> idmap_ldb:use rfc2307 = yes
> implies that you wish to obtain uidNumber and gidNumber from the
> directory rather than the external idmap.ldb database.
>
> The schema dictates that to have uidNumber and gidNumber attributes then
> we must also have an objectClass which supply those attributes.
>
> Here is a user called steve2 who meets these conditions (for our base DN
> where: DC=hh3,DC=site):
>
> dn: CN=steve2,CN=Users,DC=hh3,DC=site
> cn: steve2
> instanceType: 4
> whenCreated: 20120828151721.0Z
> uSNCreated: 3733
> name: steve2
> objectGUID: 93cdeea8-f899-448e-9b09-7b67023aadd9
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-699126639-3096025544-1681200688-1108
> logonCount: 0
> sAMAccountName: steve2
> sAMAccountType: 805306368
> userPrincipalName: [hidden email]
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
> pwdLastSet: 129906406410000000
> gidNumber: 20513
> homeDirectory: \\hh1\home\steve2
> homeDrive: Z:
> loginShell: /bin/bash
> profilePath: \\hh1\profiles\steve2
> uidNumber: 3000007
> unixHomeDirectory: /home2/home/steve2
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> userAccountControl: 66048
> accountExpires: 0
> whenChanged: 20120829085046.0Z
> uSNChanged: 3769
> distinguishedName: CN=steve2,CN=Users,DC=hh3,DC=site
>
> Here is the group Domain Users which meets the same condition:
>
> dn: CN=Domain Users,CN=Users,DC=hh3,DC=site
> cn: Domain Users
> description: All domain users
> instanceType: 4
> whenCreated: 20120828143745.0Z
> uSNCreated: 3540
> name: Domain Users
> objectGUID: 87da3fa5-f07c-4a4c-b501-154a53110a1b
> objectSid: S-1-5-21-699126639-3096025544-1681200688-513
> sAMAccountName: Domain Users
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site
> isCriticalSystemObject: TRUE
> memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site
> gidNumber: 20513
> whenChanged: 20120828152046.0Z
> objectClass: top
> objectClass: posixGroup
> objectClass: group
> uSNChanged: 3739
> distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site
>
> I do not think that your existing users and groups will have these
> entries and unless you add them when you create a new user or group,
> these will lack the LDAP entries too.
>
> The method to add the classes you are missing is documented here:
> http://linuxcostablanca.blogspot.com.es/p/s4bind.html
>
> HTH
> Cheers,
> Steve
>


Reply | Threaded
Open this post in threaded view
|

Re: Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

steve-2
On 24/09/12 17:00, Daniele Dario wrote:
  I can see only the following objectClass statements:
>
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
>
> Is it correct or am I missing something?

You are missing:
objectClass: posixAccount
uidNumber: abc
gidNumber: xyz

>
> If I join another DC to the domain and in it's smb.conf I add the
> idmap_ldb:use rfc2307 = Yes statement would it pull the UID from the AD?
No.

> Would the UIDs be the same on both DCs?
No.

If uidNumber is not in AD to start with, then no amount of idmap_ldb:use
rfc2307 = Yes will pull it from there.

A script wrapping around samba-tool user add can add the class and
attributes easily.

Cheers,
Steve

Reply | Threaded
Open this post in threaded view
|

Re: Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

danicat
Hi Steve,
just to be sure I understood:

even if I provision with --use-rfc2307 I wont get it working without
using an external script to add users/groups which has to modify ldbs
adding the objectClass: posixAccount/posixGroup and the
uidNumber/gidNumber for every user/group added right?

Said this it wont work from a windows box using the Admin tools (they
will invoke the basic samba tools so not the changed scripts (I was
looking at the examples you pointed me)

samba-tool group add $1
strgid=$(wbinfo --group-info=$1)
gid=$(echo $strgid | cut -d ":" -f 3)
echo "dn: cn=$1,cn=Users,dc=hh3,dc=sit
changetype: modify
add:objectclass
objectclass: posixGroup
-
add: gidnumber
gidnumber: $gid" > /tmp/$1
ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site
-f /tmp/$1 -Y GSSAPI

and

samba-tool user add $1
sleep 2
#get the uid
struid=$(wbinfo -i $1)
uid=$(echo $struid | cut -d ":" -f 3)
#get the gid
strgid=$(wbinfo --group-info=$2)
gid=$(echo $strgid | cut -d ":" -f 3)
#get the group from the sid
strsid=$(wbinfo --gid-to-sid=$gid)
primarygid=$(echo $strsid | cut -d "-" -f 8)
strwg=$(echo $struid | cut -d "\\" -f 1)
#add the posix attributes to the user
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: uidnumber
uidnumber: $uid
-
add: gidnumber
gidnumber: $gid
-
add:unixhomedirectory
unixhomedirectory: /home/$strwg/$1
-
add: loginshell
loginshell: /bin/bash" > /tmp/$1
ldbmodify --url=/usr/local/samba/private/sam.ldb -b
dc=hh3,dc=site /tmp/$1
samba-tool group addmembers $2 $1
#set the user to the posix group
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
replace: primarygroupid
primarygroupid: $primarygid" > /tmp/$1
echo "sleeping. . ."
sleep 5
ldbmodify --url=/usr/local/samba/private/sam.ldb -b
dc=hh3,dc=site /tmp/$1
mkdir /home/$strwg/$1
chown -R $1:$2 /home/$strwg/$1
rm /tmp/$1
hostname=$(hostname -s)
echo "dn: CN=$1,CN=Users,DC=hh3,DC=site
changetype: modify
add: profilePath
profilePath: \\\\$hostname\\profiles\\$1
-
add: homeDrive
homeDrive: Z:
-
add: homeDirectory
homeDirectory: \\\\$hostname\\home\\$1" > /tmp/$1
echo "sleeping. . ."
sleep 5
ldbmodify --url=/usr/local/samba/private/sam.ldb -b
dc=hh3,dc=site /tmp/$1

Thanks,
Daniele.

On Mon, 2012-09-24 at 18:07 +0200, steve wrote:

> On 24/09/12 17:00, Daniele Dario wrote:
>   I can see only the following objectClass statements:
> >
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> >
> > Is it correct or am I missing something?
>
> You are missing:
> objectClass: posixAccount
> uidNumber: abc
> gidNumber: xyz
>
> >
> > If I join another DC to the domain and in it's smb.conf I add the
> > idmap_ldb:use rfc2307 = Yes statement would it pull the UID from the AD?
> No.
>
> > Would the UIDs be the same on both DCs?
> No.
>
> If uidNumber is not in AD to start with, then no amount of idmap_ldb:use
> rfc2307 = Yes will pull it from there.
>
> A script wrapping around samba-tool user add can add the class and
> attributes easily.
>
> Cheers,
> Steve
>


Reply | Threaded
Open this post in threaded view
|

Re: Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

steve-2
On 25/09/12 11:18, Daniele Dario wrote:
> Hi Steve,
> just to be sure I understood:
>
> even if I provision with --use-rfc2307 I wont get it working without
> using an external script to add users/groups which has to modify ldbs
> adding the objectClass: posixAccount/posixGroup and the
> uidNumber/gidNumber for every user/group added right?

Correct. You have to make sure that the DC's use _only_ AD to pull the
rfc2307 stuff.

>
> Said this it wont work from a windows box using the Admin tools (they
> will invoke the basic samba tools so not the changed scripts (I was
> looking at the examples you pointed me)

It will not work from a windows box because there is no way to fill in
the rfc2307 attributes. I believe Géza has a a script for this however.

Samba4 will pull only uidNumber and gidNumber from AD. If you need the
whole of rfc2307 then you will need to use the scripts you quoted. (as a
basis: they are local to my domain only).

You are nearly there:) Good luck,
Steve

Reply | Threaded
Open this post in threaded view
|

Re: Enabling idmap_ldb:use rfc2307 = yes on 2 DCs

Gémes Géza-2
2012-09-25 16:37 keltezéssel, steve írta:

> On 25/09/12 11:18, Daniele Dario wrote:
>> Hi Steve,
>> just to be sure I understood:
>>
>> even if I provision with --use-rfc2307 I wont get it working without
>> using an external script to add users/groups which has to modify ldbs
>> adding the objectClass: posixAccount/posixGroup and the
>> uidNumber/gidNumber for every user/group added right?
>
> Correct. You have to make sure that the DC's use _only_ AD to pull the
> rfc2307 stuff.
>
>>
>> Said this it wont work from a windows box using the Admin tools (they
>> will invoke the basic samba tools so not the changed scripts (I was
>> looking at the examples you pointed me)
>
> It will not work from a windows box because there is no way to fill in
> the rfc2307 attributes.
That is not completely true. If you provision your domain by a
classicupgrade you will have the schema elements which allows you to
manage rfc2307 attributes from ADUC (if you have the full RSAT installed
(including management tools for NIS server)).
> I believe Géza has a a script for this however.
My scripts are quite domain specific (I planned writing a patch for
samba-tool, but hadn't time to complete it yet)
>
> Samba4 will pull only uidNumber and gidNumber from AD. If you need the
> whole of rfc2307 then you will need to use the scripts you quoted. (as
> a basis: they are local to my domain only).
>
> You are nearly there:) Good luck,
> Steve
>
Regards

Geza Gemes