[samba] file server, AD client, no rfc2307

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[samba] file server, AD client, no rfc2307

Samba - General mailing list
Hi all,

Am I right writing Winbindd needs to have RFC2307 set up in AD to work
correctly when we want to use uidNumber, gidNumber & Co from AD?

When I write "RFC2307 set up in AD" I mean what is described there:
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Enabling_RFC2307_in_an_Existing_Active_Directory

I think it's the case, at least before 4.6.x as my tests last days tend to
show that... but I can easily have misinterpreted things.

I ask that because I'm working for a client who don't want to modify its AD
schema (as described in the link before). Fortunately, thanks again to
Rowland who told me that, RFC2307 attributes are already present into AD
schema and so we can define uidNumber and other things with standard AD
(without --with-rfc2307).

So after making lot of test with winbind, after I tried to convince my
client to change its AD schema, I finally set up SSSD as AD client and
tomorrow I'll try to find how make Samba (file server and AD member)
working well with SSSD.

So if I'm wrong thinking winbindd needs AD schema modification to generate
UNIX users with uid and gid taken from uidNumber and gidNumber, I would
really appreciate to know it and how to set it up.

Hoping I was clear enough in my issue's description, I wish you well,

mathias
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [samba] file server, AD client, no rfc2307

Samba - General mailing list
On Wed, 26 Jul 2017 22:42:48 +0200
mathias dufresne via samba <[hidden email]> wrote:

> Hi all,
>
> Am I right writing Winbindd needs to have RFC2307 set up in AD to work
> correctly when we want to use uidNumber, gidNumber & Co from AD?
>
> When I write "RFC2307 set up in AD" I mean what is described there:
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Enabling_RFC2307_in_an_Existing_Active_Directory
>
> I think it's the case, at least before 4.6.x as my tests last days
> tend to show that... but I can easily have misinterpreted things.
>
> I ask that because I'm working for a client who don't want to modify
> its AD schema (as described in the link before). Fortunately, thanks
> again to Rowland who told me that, RFC2307 attributes are already
> present into AD schema and so we can define uidNumber and other
> things with standard AD (without --with-rfc2307).
>
> So after making lot of test with winbind, after I tried to convince my
> client to change its AD schema, I finally set up SSSD as AD client and
> tomorrow I'll try to find how make Samba (file server and AD member)
> working well with SSSD.
>
> So if I'm wrong thinking winbindd needs AD schema modification to
> generate UNIX users with uid and gid taken from uidNumber and
> gidNumber, I would really appreciate to know it and how to set it up.
>
> Hoping I was clear enough in my issue's description, I wish you well,
>
> mathias

I am fairly sure that you only need to add what you are calling the
'schema modification' if you want to use the 'Unix Attributes' tab in
ADUC.

The RFC2307 attributes are part of the standard AD schema, so as you
are setting up a Unix domain member, winbind on one of these should
work without doing the schema modification.

Anything sssd can do on a Unix domain member, winbind can do.

I am fairly sure that your 'schema modification' is the same as adding
IDMU to a Windows DC and windbind works with a windows DC that
doesn't have IDMU installed.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [samba] file server, AD client, no rfc2307

Samba - General mailing list
2017-07-26 23:12 GMT+02:00 Rowland Penny via samba <[hidden email]>:

> On Wed, 26 Jul 2017 22:42:48 +0200
> mathias dufresne via samba <[hidden email]> wrote:
>
> > Hi all,
> >
> > Am I right writing Winbindd needs to have RFC2307 set up in AD to work
> > correctly when we want to use uidNumber, gidNumber & Co from AD?
> >
> > When I write "RFC2307 set up in AD" I mean what is described there:
> > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#
> Enabling_RFC2307_in_an_Existing_Active_Directory
> >
> > I think it's the case, at least before 4.6.x as my tests last days
> > tend to show that... but I can easily have misinterpreted things.
> >
> > I ask that because I'm working for a client who don't want to modify
> > its AD schema (as described in the link before). Fortunately, thanks
> > again to Rowland who told me that, RFC2307 attributes are already
> > present into AD schema and so we can define uidNumber and other
> > things with standard AD (without --with-rfc2307).
> >
> > So after making lot of test with winbind, after I tried to convince my
> > client to change its AD schema, I finally set up SSSD as AD client and
> > tomorrow I'll try to find how make Samba (file server and AD member)
> > working well with SSSD.
> >
> > So if I'm wrong thinking winbindd needs AD schema modification to
> > generate UNIX users with uid and gid taken from uidNumber and
> > gidNumber, I would really appreciate to know it and how to set it up.
> >
> > Hoping I was clear enough in my issue's description, I wish you well,
> >
> > mathias
>
> I am fairly sure that you only need to add what you are calling the
> 'schema modification' if you want to use the 'Unix Attributes' tab in
> ADUC.
>

You're right. The 'Unix Attributes' tab in ADUC needs what I called 'schema
modification'. Without that change the 'NIS Domain' dropdown menu propose
only "<none>" as an option, no NIS domain which is coherent.


>
> The RFC2307 attributes are part of the standard AD schema, so as you
> are setting up a Unix domain member, winbind on one of these should
> work without doing the schema modification.
>

Yes they're here, we can set them using ldapmodify or using ADSI console
from RSAT.
But I was never able to make winbindd work without the 'schema
modification'.


>
> Anything sssd can do on a Unix domain member, winbind can do.
>

Here please understand I don't to say one's better than the other but I did
was able to make sssd working without the schema modification. In addition
sssd offers something to choose which AD attribute will be use to fill each
part of UNIX user (ex: ldap_user_uid_number = sAMAccountName, these option
come from sssd-ldap man page but are usable with sssd-ad module).

This is useful for stubborn clients as mine who do not want to modify their
AD...


>
> I am fairly sure that your 'schema modification' is the same as adding
> IDMU to a Windows DC and windbind works with a windows DC that
> doesn't have IDMU installed.
>

I'm fairly sure too they are the same (IDMU and what I called 'schema
modification') and I believe you when you say winbind can deal RFC2307
attributes without IDMU/schema mod. Simply I wasn't able to make it work.
What can I say? I will try again : )

Best regards,

mathias



>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [samba] file server, AD client, no rfc2307

Samba - General mailing list
On Thu, 27 Jul 2017 08:47:28 +0200
mathias dufresne <[hidden email]> wrote:


>
> You're right. The 'Unix Attributes' tab in ADUC needs what I called
> 'schema modification'. Without that change the 'NIS Domain' dropdown
> menu propose only "<none>" as an option, no NIS domain which is
> coherent.
>
> Yes they're here, we can set them using ldapmodify or using ADSI
> console from RSAT.
> But I was never able to make winbindd work without the 'schema
> modification'.
>
>
> >
> > Anything sssd can do on a Unix domain member, winbind can do.
> >
>
> Here please understand I don't to say one's better than the other but
> I did was able to make sssd working without the schema modification.
> In addition sssd offers something to choose which AD attribute will
> be use to fill each part of UNIX user (ex: ldap_user_uid_number =
> sAMAccountName, these option come from sssd-ldap man page but are
> usable with sssd-ad module).
>
> This is useful for stubborn clients as mine who do not want to modify
> their AD...
>
>
> >
> > I am fairly sure that your 'schema modification' is the same as
> > adding IDMU to a Windows DC and windbind works with a windows DC
> > that doesn't have IDMU installed.
> >
>
> I'm fairly sure too they are the same (IDMU and what I called 'schema
> modification') and I believe you when you say winbind can deal RFC2307
> attributes without IDMU/schema mod. Simply I wasn't able to make it
> work. What can I say? I will try again : )

It should work without --use-rfc2307, if it doesn't, then I personally
would class it as a bug.

I will have a look at the provision code for the Samba DC to see what
it actually does when you use '--use-rfc2307', if it just adds
'ypServ30.ldif', I will setup a test domain without '--use-rfc2307' and
see what happens ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [samba] file server, AD client, no rfc2307

Samba - General mailing list
On Thu, 27 Jul 2017 08:36:51 +0100
Rowland Penny via samba <[hidden email]> wrote:

>
> I will have a look at the provision code for the Samba DC to see what
> it actually does when you use '--use-rfc2307', if it just adds
> 'ypServ30.ldif', I will setup a test domain without '--use-rfc2307'
> and see what happens ;-)
>
> Rowland
>

OK, '--use-rfc2307' adds 'idmap_ldb:use rfc2307 = yes' to smb.conf on
the DC and then adds 'ypServ30.ldif'. As far as I am aware, nothing
actually uses anything in 'ypServ30.ldif'.

I will set up a new domain and see what happens.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [samba] file server, AD client, no rfc2307

Samba - General mailing list
On Thu, 27 Jul 2017 08:51:52 +0100
Rowland Penny via samba <[hidden email]> wrote:

> On Thu, 27 Jul 2017 08:36:51 +0100
> Rowland Penny via samba <[hidden email]> wrote:
>
> >
> > I will have a look at the provision code for the Samba DC to see
> > what it actually does when you use '--use-rfc2307', if it just adds
> > 'ypServ30.ldif', I will setup a test domain without '--use-rfc2307'
> > and see what happens ;-)
> >
> > Rowland
> >
>
> OK, '--use-rfc2307' adds 'idmap_ldb:use rfc2307 = yes' to smb.conf on
> the DC and then adds 'ypServ30.ldif'. As far as I am aware, nothing
> actually uses anything in 'ypServ30.ldif'.
>
> I will set up a new domain and see what happens.
>
> Rowland
>
>

OK, I can now confirm that you do not need '--use-rfc2307' to use the
winbind 'ad' backend on a Unix domain member.

You do need 'idmap_ldb:use rfc2307 = yes' in the smb.conf on a DC to
use uidNumber & gidNumber attributes on the DC.

You will not be able to use ADUC without '--use-rfc2307'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [samba] file server, AD client, no rfc2307

Samba - General mailing list
...

> >
>
> OK, I can now confirm that you do not need '--use-rfc2307' to
> use the winbind 'ad' backend on a Unix domain member.
>
> You do need 'idmap_ldb:use rfc2307 = yes' in the smb.conf on
> a DC to use uidNumber & gidNumber attributes on the DC.
>
> You will not be able to use ADUC without '--use-rfc2307'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
Thats good to know, thank for testing Rowland.

But should we not forget to add these then also?

winbind nss info = template
template homedir = /home/%D/%U
template shell = /bin/bash
Or change bash to false if you dont need ssh logins for example.


Greetz

Louis


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [samba] file server, AD client, no rfc2307

Samba - General mailing list
On Thu, 27 Jul 2017 15:23:47 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> ...
> > >
> >
> > OK, I can now confirm that you do not need '--use-rfc2307' to
> > use the winbind 'ad' backend on a Unix domain member.
> >
> > You do need 'idmap_ldb:use rfc2307 = yes' in the smb.conf on
> > a DC to use uidNumber & gidNumber attributes on the DC.
> >
> > You will not be able to use ADUC without '--use-rfc2307'
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> Thats good to know, thank for testing Rowland.
>
> But should we not forget to add these then also?
>
> winbind nss info = template
> template homedir = /home/%D/%U
> template shell = /bin/bash
> Or change bash to false if you dont need ssh logins for example.

Hi Louis, I tested with your 4.6.6 packages, so I used the new 'idmap
config' lines with the users Unix home dir and shell stored in AD.

Or to put it another way, no, not on a Unix domain member.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [samba] file server, AD client, no rfc2307

Samba - General mailing list
In reply to this post by Samba - General mailing list
2017-07-27 15:14 GMT+02:00 Rowland Penny via samba <[hidden email]>:

> On Thu, 27 Jul 2017 08:51:52 +0100
> Rowland Penny via samba <[hidden email]> wrote:
>
> > On Thu, 27 Jul 2017 08:36:51 +0100
> > Rowland Penny via samba <[hidden email]> wrote:
> >
> > >
> > > I will have a look at the provision code for the Samba DC to see
> > > what it actually does when you use '--use-rfc2307', if it just adds
> > > 'ypServ30.ldif', I will setup a test domain without '--use-rfc2307'
> > > and see what happens ;-)
> > >
> > > Rowland
> > >
> >
> > OK, '--use-rfc2307' adds 'idmap_ldb:use rfc2307 = yes' to smb.conf on
> > the DC and then adds 'ypServ30.ldif'. As far as I am aware, nothing
> > actually uses anything in 'ypServ30.ldif'.
> >
> > I will set up a new domain and see what happens.
> >
> > Rowland
> >
> >
>
> OK, I can now confirm that you do not need '--use-rfc2307' to use the
> winbind 'ad' backend on a Unix domain member.
>
> You do need 'idmap_ldb:use rfc2307 = yes' in the smb.conf on a DC to
> use uidNumber & gidNumber attributes on the DC.
>
> You will not be able to use ADUC without '--use-rfc2307'
>

Nice, thank you for testing. I'll try that next days to first be sure of
the winbind client configuration.
Then I will have to test the working configuration against MS AD as it is
MS AD my client use. It won't be my client too long...


>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [samba] file server, AD client, no rfc2307

Samba - General mailing list
2017-07-27 16:33 GMT+02:00 mathias dufresne <[hidden email]>:

>
>
> 2017-07-27 15:14 GMT+02:00 Rowland Penny via samba <[hidden email]>
> :
>
>> On Thu, 27 Jul 2017 08:51:52 +0100
>> Rowland Penny via samba <[hidden email]> wrote:
>>
>> > On Thu, 27 Jul 2017 08:36:51 +0100
>> > Rowland Penny via samba <[hidden email]> wrote:
>> >
>> > >
>> > > I will have a look at the provision code for the Samba DC to see
>> > > what it actually does when you use '--use-rfc2307', if it just adds
>> > > 'ypServ30.ldif', I will setup a test domain without '--use-rfc2307'
>> > > and see what happens ;-)
>> > >
>> > > Rowland
>> > >
>> >
>> > OK, '--use-rfc2307' adds 'idmap_ldb:use rfc2307 = yes' to smb.conf on
>> > the DC and then adds 'ypServ30.ldif'. As far as I am aware, nothing
>> > actually uses anything in 'ypServ30.ldif'.
>> >
>> > I will set up a new domain and see what happens.
>> >
>> > Rowland
>> >
>> >
>>
>> OK, I can now confirm that you do not need '--use-rfc2307' to use the
>> winbind 'ad' backend on a Unix domain member.
>>
>> You do need 'idmap_ldb:use rfc2307 = yes' in the smb.conf on a DC to
>> use uidNumber & gidNumber attributes on the DC.
>>
>> You will not be able to use ADUC without '--use-rfc2307'
>>
>
> Nice, thank you for testing. I'll try that next days to first be sure of
> the winbind client configuration.
> Then I will have to test the working configuration against MS AD as it is
> MS AD my client use. It won't be my client too long...
>

Hi all,

I'm digging up that subject as I finally was able to find time to dig into
the subject.

So I first configure a file server using Winbind to retrieve user from AD
using RFC2307.

The tests :
Initially that file server was joined to a Samba AD domain with RFC2307 set
up on DC (--with-rfc2307 during provision).
No surprise, it worked.

Then I removed RFC2307 using ldapmodify to delete 55 entries added by
ypServ30.ldif which is the file used to add RFC2307 in Samba when it was
provisioned without --with-rfc2307 (as described there:
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#Installing_the_NIS_Extensions
).
Here again, after "net ads leave" then a join into that domain, winbind was
able to retrieve AD user using RFC2307 LDAP attributes, as long as I kept
into into DC's smb.conf the following line as mentioned in previous mail by
Rowland the 27th of July:
idmap_ldb:use rfc2307 = yes

As I wasn't too sure about this modification (ldapmodify to delete entries)
I tried using a brand new Samba AD domain provioned without usage of
--with-rfc2307.
Again, it worked, as long as the "idmap_ldb:use rfc2307 = yes" xwas present
in DC's smb.conf

And as soon as "idmap_ldb:use rfc2307 = yes" was commented on DC side,
winbind on client side stopped working.

Finally I removed that Samba file server from the Samba AD domain to join
it to the MS AD domain of my client. This is a MS AD without support for
RFC2307 configured.
And Winbind was never able to generate UNIX user.
wbinfo -n user gave user's SID
wbinfo -S <user's SID> gave user's uidNumber (as we are dealing with
RFC2307 attributes, using idmap-ad)

But wbinfo -i user didn't worked.

 wbinfo -i user
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user user

So usage of "idmap_ldb:use rfc2307 = yes" on DC side modifies Samba AD
behaviour enough for it differs from standard MS AD (nothing to wonder
about in fact) but as Samba AD is not behaving like standard MS AD we can't
write winbind, using idmap-ad, can retrieve user from standard AD without
RFC2307 configured, as this works only against Samba AD with a modified
smb.conf.

To write it differently winbind, using idmap-ad, can't retrieve user from
standard AD (MS AD not modified or Samba AD without "idmap_ldb:use rfc2307
= yes").


>
>
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [samba] file server, AD client, no rfc2307

Samba - General mailing list
After speaking about winbind behaviour, back to my initial question:
migrating a Samba file server to another one replacing UID/GID database (it
was a Centrify database).

So we have files and directories owned by UNIX users on file system on the
old server, UID/GID are not into uidNumber/gidNumber but are known: we can
list users and groups to display every UID/GID used.

Of course what expected my client was all users continue to have access to
their files. To do that they started changing rights on the new file server
to 777... Users had access to their files but also to every files which
is.. discussable : )

So here I saw two option (777 is not an option) :
- keeping UID/GID by usage of uidNUmber and gidNumber which are always
available in AD (perhaps not in AD 2016, I did not tested).
This is working but not with Winbind until there is a change in AD
behaviour (see my previous mail for details) and my client refused to
modify its schema.
Good point: no change needed on file's rights
Bad point: they need a process to give new users some UID/GID. They add a
process but it was for Centrify, this process had to be changed.

As I wasn't able to use winbind I finally made that working using SSSD,
thanks to Samba which can work using "security = ads" and SSSD to produce
UNIX users from AD (using RFC2307 attributes or anything else)
But the point was also to simplify their process, so this proposition was
finally refused.

- changing UID/GID: by usage of idmap-rid UID/GID are stable, they are
built using MS user's RID + start of domain range in "idmap config AD :
range". As RID are stable (as long as you don't destroy a user object to
recreate a new one) we get UNIX user without changing anything, without the
need of a specific process when creating new user in AD.
Very simple, stable, wonderful : )

This has a very bad point when there is a big amount of files/directories
with already attributed rights with old UID/GID: all files and directories
rights must be changed.
Fortunately the two file servers are not using the same storage, old files
have to be copied from old filers to a new one. And here is the solution of
this huge problem of file's rights: RSYNC. By default rsync, when creating
file on destination side, attribute rights according to user/group name and
not UID/GID, so doing a simple rsync of old data store to the new one using
rsync solved the rights issue.

And winbind using idmap-rid gave us a stable and very easy to use way to
manage UID/GID.

Sorry for all that blabla, I felt like it could be interesting to share
that.

Cheers,

mathias

2017-08-03 14:53 GMT+02:00 mathias dufresne <[hidden email]>:

>
>
> 2017-07-27 16:33 GMT+02:00 mathias dufresne <[hidden email]>:
>
>>
>>
>> 2017-07-27 15:14 GMT+02:00 Rowland Penny via samba <[hidden email]
>> >:
>>
>>> On Thu, 27 Jul 2017 08:51:52 +0100
>>> Rowland Penny via samba <[hidden email]> wrote:
>>>
>>> > On Thu, 27 Jul 2017 08:36:51 +0100
>>> > Rowland Penny via samba <[hidden email]> wrote:
>>> >
>>> > >
>>> > > I will have a look at the provision code for the Samba DC to see
>>> > > what it actually does when you use '--use-rfc2307', if it just adds
>>> > > 'ypServ30.ldif', I will setup a test domain without '--use-rfc2307'
>>> > > and see what happens ;-)
>>> > >
>>> > > Rowland
>>> > >
>>> >
>>> > OK, '--use-rfc2307' adds 'idmap_ldb:use rfc2307 = yes' to smb.conf on
>>> > the DC and then adds 'ypServ30.ldif'. As far as I am aware, nothing
>>> > actually uses anything in 'ypServ30.ldif'.
>>> >
>>> > I will set up a new domain and see what happens.
>>> >
>>> > Rowland
>>> >
>>> >
>>>
>>> OK, I can now confirm that you do not need '--use-rfc2307' to use the
>>> winbind 'ad' backend on a Unix domain member.
>>>
>>> You do need 'idmap_ldb:use rfc2307 = yes' in the smb.conf on a DC to
>>> use uidNumber & gidNumber attributes on the DC.
>>>
>>> You will not be able to use ADUC without '--use-rfc2307'
>>>
>>
>> Nice, thank you for testing. I'll try that next days to first be sure of
>> the winbind client configuration.
>> Then I will have to test the working configuration against MS AD as it is
>> MS AD my client use. It won't be my client too long...
>>
>
> Hi all,
>
> I'm digging up that subject as I finally was able to find time to dig into
> the subject.
>
> So I first configure a file server using Winbind to retrieve user from AD
> using RFC2307.
>
> The tests :
> Initially that file server was joined to a Samba AD domain with RFC2307
> set up on DC (--with-rfc2307 during provision).
> No surprise, it worked.
>
> Then I removed RFC2307 using ldapmodify to delete 55 entries added by
> ypServ30.ldif which is the file used to add RFC2307 in Samba when it was
> provisioned without --with-rfc2307 (as described there:
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD#
> Installing_the_NIS_Extensions).
> Here again, after "net ads leave" then a join into that domain, winbind
> was able to retrieve AD user using RFC2307 LDAP attributes, as long as I
> kept into into DC's smb.conf the following line as mentioned in previous
> mail by Rowland the 27th of July:
> idmap_ldb:use rfc2307 = yes
>
> As I wasn't too sure about this modification (ldapmodify to delete
> entries) I tried using a brand new Samba AD domain provioned without usage
> of --with-rfc2307.
> Again, it worked, as long as the "idmap_ldb:use rfc2307 = yes" xwas
> present in DC's smb.conf
>
> And as soon as "idmap_ldb:use rfc2307 = yes" was commented on DC side,
> winbind on client side stopped working.
>
> Finally I removed that Samba file server from the Samba AD domain to join
> it to the MS AD domain of my client. This is a MS AD without support for
> RFC2307 configured.
> And Winbind was never able to generate UNIX user.
> wbinfo -n user gave user's SID
> wbinfo -S <user's SID> gave user's uidNumber (as we are dealing with
> RFC2307 attributes, using idmap-ad)
>
> But wbinfo -i user didn't worked.
>
>  wbinfo -i user
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user user
>
> So usage of "idmap_ldb:use rfc2307 = yes" on DC side modifies Samba AD
> behaviour enough for it differs from standard MS AD (nothing to wonder
> about in fact) but as Samba AD is not behaving like standard MS AD we can't
> write winbind, using idmap-ad, can retrieve user from standard AD without
> RFC2307 configured, as this works only against Samba AD with a modified
> smb.conf.
>
> To write it differently winbind, using idmap-ad, can't retrieve user from
> standard AD (MS AD not modified or Samba AD without "idmap_ldb:use rfc2307
> = yes").
>
>
>>
>>
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...