Quantcast

Samba4 Using AD/UNIX attributes for home directory and shell not possible?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba4 Using AD/UNIX attributes for home directory and shell not possible?

Markus Gillmeister
Hi,

I'm would like to use the attributes in AD for home directory
(homeDirectory) and the login shell  (loginShell) for users logging in via
ssh to a linux box.

I added the following parameters in the global-Section of
/etc/samba/smb.conf:
   winbind nss info = rfc2307
   idmap_ldb:use rfc2307 = yes

Also I set the attributes for a test-user (called tim) with some values.

But when calling "getent passwd" I got the following result:
...
SHADOW\tim:*:3000017:100:Tim Testinger:/home/SHADOW/tim:/bin/false

So it seems that winbind is ignoring AD attributes. Is this a bug or did I
misconfigure my samba installation?

Best Regards
Markus

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 Using AD/UNIX attributes for home directory and shell not possible?

Gémes Géza-2
Hi,
> Hi,
>
> I'm would like to use the attributes in AD for home directory
> (homeDirectory) and the login shell  (loginShell) for users logging in via
> ssh to a linux box.
Samba 4.x has (from the point of view of domain membership) two modes:

1. Active directory domain controller
2. Standalone, domain member or classic (NT4-like) domain controller

In the first case only the samba binary should run, which takes care of
the winbind task (mapping user attributes) too. Unfortunately it can't
retrieve homedir and shell attributes from the directory.

In the second case a separate winbind instance is/should be running
which is able to use those mapping from the directory, so if you are not
running an AD DC on the box in question, please send your whole config
to be able to help debugging it.

> I added the following parameters in the global-Section of
> /etc/samba/smb.conf:
>     winbind nss info = rfc2307
>     idmap_ldb:use rfc2307 = yes
>
> Also I set the attributes for a test-user (called tim) with some values.
>
> But when calling "getent passwd" I got the following result:
> ...
> SHADOW\tim:*:3000017:100:Tim Testinger:/home/SHADOW/tim:/bin/false
>
> So it seems that winbind is ignoring AD attributes. Is this a bug or did I
> misconfigure my samba installation?
>
> Best Regards
> Markus
>
Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 Using AD/UNIX attributes for home directory and shell not possible?

steve-2
In reply to this post by Markus Gillmeister
On 10/08/13 22:23, Markus Gillmeister wrote:

> Hi,
>
> I'm would like to use the attributes in AD for home directory
> (homeDirectory) and the login shell  (loginShell) for users logging in via
> ssh to a linux box.
>
> I added the following parameters in the global-Section of
> /etc/samba/smb.conf:
>     winbind nss info = rfc2307
>     idmap_ldb:use rfc2307 = yes
>
> Also I set the attributes for a test-user (called tim) with some values.
>
> But when calling "getent passwd" I got the following result:
> ...
> SHADOW\tim:*:3000017:100:Tim Testinger:/home/SHADOW/tim:/bin/false
>
> So it seems that winbind is ignoring AD attributes. Is this a bug or did I
> misconfigure my samba installation?
>
> Best Regards
> Markus
>

Hi
On the DC, winbind will only read uidNumber and gidNumber. To be able to
use the whole of rfc2307, use sssd or nss-ldapd.

If you want to use winbind, you will have to install Samba4 on a
separate machine, domainify it and run it as a file server only. I
suppose you could then ssh into that instead.
HTH
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba4 Using AD/UNIX attributes for home directory and shell not possible?

Markus Gillmeister
Hi,

while googling around I already suspected that using winbind and samba4 is
not a perfect solution.

I tried to setup sssd on my debian wheezy machine but I'm not able to get a
running setup:

When starting up sssd the following error appear:

(Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [setup_child] (0x0010):
Could not verify keytab
(Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [load_backend_module]
(0x0010): Error (2) in module (ldap) initialization (sssm_ldap_id_init)!
(Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [be_process_init]
(0x0010): fatal error initializing data providers
(Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [main] (0x0010): Could
not initialize backend [2]


My  /etc/sssd/sssd.conf looks like:

[sssd]
config_file_version = 2
domains = shadow.local
services = nss, pam
debug_level = 7

[nss]

[pam]

[domain/shadow.local]
cache_credentials = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

krb5_realm = SHADOW.LOCAL

ldap_referrals = false
ldap_sasl_mech = GSSAPI
ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName


sssd version on debian wheezy is 1.8.4.  Any ideas whats wrong?

Best Regards
Markus
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 Using AD/UNIX attributes for home directory and shell not possible?

steve-2
On 12/08/13 10:04, Markus Gillmeister wrote:

> Hi,
>
> while googling around I already suspected that using winbind and samba4 is
> not a perfect solution.
>
> I tried to setup sssd on my debian wheezy machine but I'm not able to get a
> running setup:
>
> When starting up sssd the following error appear:
>
> (Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [setup_child] (0x0010):
> Could not verify keytab
> (Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [load_backend_module]
> (0x0010): Error (2) in module (ldap) initialization (sssm_ldap_id_init)!
> (Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [be_process_init]
> (0x0010): fatal error initializing data providers
> (Mon Aug 12 09:57:43 2013) [sssd[be[shadow.local]]] [main] (0x0010): Could
> not initialize backend [2]
>
>
> My  /etc/sssd/sssd.conf looks like:
>
> [sssd]
> config_file_version = 2
> domains = shadow.local
> services = nss, pam
> debug_level = 7
>
> [nss]
>
> [pam]
>
> [domain/shadow.local]
> cache_credentials = true
> id_provider = ldap
> auth_provider = krb5
> chpass_provider = krb5
> access_provider = ldap
>
> krb5_realm = SHADOW.LOCAL
>
> ldap_referrals = false
> ldap_sasl_mech = GSSAPI
> ldap_schema = rfc2307bis
> ldap_access_order = expire
> ldap_account_expire_policy = ad
> ldap_force_upper_case_realm = true
> ldap_user_object_class = user
> ldap_user_name = sAMAccountName
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_principal = userPrincipalName
> ldap_group_object_class = group
> ldap_group_name = sAMAccountName
>
>
> sssd version on debian wheezy is 1.8.4.  Any ideas whats wrong?
>
> Best Regards
> Markus
>
>
Hi
mmm, 1.8.4. For AD out of the box you need version 1.10.1 but you could
try this.
You haven't specified the DC or any of the gssapi stuff:
  remove:
  access_provider =
  and add :

krb5_realm =
krb5_server =
krb5_kpasswd =

ldap_sasl_authid =
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
krb5_validate = False

for server and kpasswd use names not IP's
for ldap_sasl_authid use the machine key from the keytab it prodv¡ded
when you joined the domain, something like MACHINE$

There are example configs for both rfc2307bis and AD schemas here:
http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba4 Using AD/UNIX attributes for home directory and shell not possible?

Markus Gillmeister
Steve, thanks a lot, I finally got sssd (version 1.8.4) on debian wheezy
working with samba 4 (Version 4.0.8-SerNet-Debian-5.wheezy)!

But one last question regarding unix attributes in the AD stays:  I noticed
that uidnumber/gid... is not written back to the active directory when
creating a user or group. I set "idmap_ldb:use rfc2307 = yes" in my
smb.conf, but it seems that samba-tool is ignoring this.  Is this a bug?

At http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html I
see a script that wraps around the "samba-tool" when creating a user. After
creating it asks winbind for uid/gid and writes these information back to
AD. This seems fine as workaround but it would be nice if samba-tool does
this out-of-the-box or?





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 Using AD/UNIX attributes for home directory and shell not possible?

Jonathan Buzzard
On Tue, 2013-08-13 at 10:06 +0200, Markus Gillmeister wrote:
> Steve, thanks a lot, I finally got sssd (version 1.8.4) on debian wheezy
> working with samba 4 (Version 4.0.8-SerNet-Debian-5.wheezy)!
>
> But one last question regarding unix attributes in the AD stays:  I noticed
> that uidnumber/gid... is not written back to the active directory when
> creating a user or group. I set "idmap_ldb:use rfc2307 = yes" in my
> smb.conf, but it seems that samba-tool is ignoring this.  Is this a bug?
>

I would imagine that it is not a bug, as this is standard Windows AD
behaviour (well it is up to Server 2008R2, might have changed in Server
2012).

JAB.

--
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 Using AD/UNIX attributes for home directory and shell not possible?

steve-2
In reply to this post by Markus Gillmeister
On Tue, 2013-08-13 at 10:06 +0200, Markus Gillmeister wrote:

> Steve, thanks a lot, I finally got sssd (version 1.8.4) on debian wheezy
> working with samba 4 (Version 4.0.8-SerNet-Debian-5.wheezy)!
>
> But one last question regarding unix attributes in the AD stays:  I noticed
> that uidnumber/gid... is not written back to the active directory when
> creating a user or group. I set "idmap_ldb:use rfc2307 = yes" in my
> smb.conf, but it seems that samba-tool is ignoring this.  Is this a bug?
>
> At http://linuxcostablanca.blogspot.com.es/2013/04/sssd-in-samba-40.html I
> see a script that wraps around the "samba-tool" when creating a user. After
> creating it asks winbind for uid/gid and writes these information back to
> AD. This seems fine as workaround but it would be nice if samba-tool does
> this out-of-the-box or?
>
Hi
You have to add the attribute yourself on 4.0.8 and earlier. That's what
our scripts do. It's unfortunate that samba-tool doesn't do this. The
devs use a non AD solution for rfc2307. There is some better news: the
new RC's and master have e.g.
samba-tool user add steve [...] --uid-number=12345678
which does add the necessary attribute to AD

I'd recommend using the latest version of sssd. It has native support
for AD and loads of other goodies such as dynamic dns. Although it's
non-trivial building it on Debian, it would be worth the effort.

Many congrats on getting 1.8.4 working however.
Cheers,
Steve


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...