Quantcast

samba4 rfc2307 practice and confuse

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

samba4 rfc2307 practice and confuse

d tbsky
hi:
   I setup a small samba 4.0.5 AD DC server. my client is windows 7 and
linux. and I use windows 7 with remote managment tools to manage rfc2307
account seetings of samba4 DC. I hope my users can use the same account to
use windows and linux.

  samba4 DC provsion command as below:
  samba-tool domain provision --use-rfc2307 --function-level=2008_R2
--interactive

   and smb.conf global section for samba4 DC below:
        workgroup = DOM
        realm = AD.DOM.COM.TW
        netbios name = DC
        server role = active directory domain controller
        dns forwarder = 10.11.1.254
        idmap_ldb:use rfc2307 = yes
        template shell = /bin/bash
        winbind nss info = rfc2307

 under samba4 DC, with "getent passwd" command,the situation is below:
 1. the uid and gid are correct. "getent group" works.
 2. the shell and homedir is not correct. "winbind nss info = rfc2307" is
uselss, samba4 always use template for "shell" and "homedir". and even
worse, if I set "template homedir = /home/%U", the "%U" macro is ignored,
so everyone's homedir is just "/home/%U". however the default "/home/%D/%U"
is working if you didn't set any "template homdir".  so not setting any
"template homedir" is the only way you can get under samba4 DC.

under other scientifc linux 6.4 workstation (comes with samba 3.6.9. I also
tried 3.6.13.):
the global section of smb.conf below:
   workgroup = DOM
   password server = DC.AD.DOM.COM.TW
   realm = AD.DOM.COM.TW
   security = ads
   idmap config *:backend = tdb
   idmap config *:range = 2001-3000
   idmap config DOM:backend = ad
   idmap config DOM:default = yes
   idmap config DOM:range = 1000-2000
   idmap config DOM:schema_mode = rfc2307
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes

  situation below:
  1.uid,shell,home are correct from rfc2307. but gid is not.and "getent
group" never works.
  2. the gid comes from domain account's "primary group". so to make my
linux client work, I need to set a special domain group, set the group's
rfc2307 guid number(I set it to number 1000). and change every user's
primary group from "domain users" to the special domain group, then I can
get the correct "getent passwd".

  I search sambawiki and email-list, there is very little informatin about
rfc2307 (but many questions and confustion without reply in the email
list).so I post my experience here. and I wonder the strange behavior is
bug or feature. I wonder what is the original design idea to use rfc2307
under samba 4 domain?

 thanks for advice.

Regards,
tbskyd
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba4 rfc2307 practice and confuse

Gémes Géza-2
2013-04-13 18:49 keltezéssel, d tbsky írta:

> hi:
>     I setup a small samba 4.0.5 AD DC server. my client is windows 7 and
> linux. and I use windows 7 with remote managment tools to manage rfc2307
> account seetings of samba4 DC. I hope my users can use the same account to
> use windows and linux.
>
>    samba4 DC provsion command as below:
>    samba-tool domain provision --use-rfc2307 --function-level=2008_R2
> --interactive
>
>     and smb.conf global section for samba4 DC below:
>          workgroup = DOM
>          realm = AD.DOM.COM.TW
>          netbios name = DC
>          server role = active directory domain controller
>          dns forwarder = 10.11.1.254
>          idmap_ldb:use rfc2307 = yes
>          template shell = /bin/bash
>          winbind nss info = rfc2307
>
>   under samba4 DC, with "getent passwd" command,the situation is below:
>   1. the uid and gid are correct. "getent group" works.
>   2. the shell and homedir is not correct. "winbind nss info = rfc2307" is
> uselss, samba4 always use template for "shell" and "homedir". and even
> worse, if I set "template homedir = /home/%U", the "%U" macro is ignored,
> so everyone's homedir is just "/home/%U". however the default "/home/%D/%U"
> is working if you didn't set any "template homdir".  so not setting any
> "template homedir" is the only way you can get under samba4 DC.
Unfortunately the winbind implementation samba as an AD DC uses (the one
in the samba binary) is not able to read other posix information from AD
other than the uidNumber and gidNumber.

> under other scientifc linux 6.4 workstation (comes with samba 3.6.9. I also
> tried 3.6.13.):
> the global section of smb.conf below:
>     workgroup = DOM
>     password server = DC.AD.DOM.COM.TW
>     realm = AD.DOM.COM.TW
>     security = ads
>     idmap config *:backend = tdb
>     idmap config *:range = 2001-3000
>     idmap config DOM:backend = ad
>     idmap config DOM:default = yes
>     idmap config DOM:range = 1000-2000
>     idmap config DOM:schema_mode = rfc2307
>     winbind nss info = rfc2307
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind use default domain = yes
>
>    situation below:
>    1.uid,shell,home are correct from rfc2307. but gid is not.and "getent
> group" never works.
>    2. the gid comes from domain account's "primary group". so to make my
> linux client work, I need to set a special domain group, set the group's
> rfc2307 guid number(I set it to number 1000). and change every user's
> primary group from "domain users" to the special domain group, then I can
> get the correct "getent passwd".
>
>    I search sambawiki and email-list, there is very little informatin about
> rfc2307 (but many questions and confustion without reply in the email
> list).so I post my experience here. and I wonder the strange behavior is
> bug or feature. I wonder what is the original design idea to use rfc2307
> under samba 4 domain?
>
>   thanks for advice.
I have read many times complaints like this, it seems, that some
distributions/relases bundle a version of samba, that has some bugs, a
similar setup (just the ranges are different) works for me using ubuntu
12.04.

Regards

Geza Gemes
>
> Regards,
> tbskyd

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba4 rfc2307 practice and confuse

d tbsky
2013/4/14 Gémes Géza <[hidden email]>

>
> Unfortunately the winbind implementation samba as an AD DC uses (the one
> in the samba binary) is not able to read other posix information from AD
> other than the uidNumber and gidNumber.


   I think I can live with that since we use it only for a few people. but
the broken
"template homedir"  seems a bug to me. or is it limited by something else
also?


> I have read many times complaints like this, it seems, that some
> distributions/relases bundle a version of samba, that has some bugs, a
> similar setup (just the ranges are different) works for me using ubuntu
> 12.04.
>

   so you mean with samba 4 as DC and samba 3.x as winbind client, you can
get correct rfc2307 gidnumber(and working getent group)?

   I don't think samba 3.x comes with RHEL has this kind of bug,since they
already have detailed document abount how to link to Active Directory. and
I also tried the lasted binary rpm at samba web site, the behavior is the
same.

    I think the problem is at server side. I use microsoft remote
administration tool(ADUC) under windows 7 to managent the domain rfc2307
settings, I think maybe that's problem. since samba  minic microsoft AD,
use microsoft tool to manage it looks reasonable, even samba AC DC HOWTO
suggest it. but it seems few people in this email list use that tool?

   and today I found another interesting bug/featuer with windows ADUC. my
short domain name is "DOM", and if I create a group who's namd is "dom",
samba4 DC will be angry. the
"getent group" at samba4 DC will refuse to return this entry, and all the
entries created after that (has larger xidnumber) will also disappear. as
long as I rename the group to something else, "getent group" will become
normal.

    since there are so many strange behaviors, I don't know what's the best
practice to treat samba 4 DC. but I am glad that at least some people in
the email list do have a working environment. maybe I can find out what's
my problem one day.

    thanks a lot.

Regards,
tbskyd





>
> Geza Gemes
>
>>
>> Regards,
>> tbskyd
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba4 rfc2307 practice and confuse

steve-2
On 15/04/13 11:07, d tbsky wrote:
>
>     so you mean with samba 4 as DC and samba 3.x as winbind client, you can
> get correct rfc2307 gidnumber(and working getent group)?
Yes. To get the rfc2307 info out from the directory you can use winbind,
nslcd or sssd on the client. If you want to get all of the rfc2307
attributes on the DC, your choice is narrowed down to the latter two. As
Geza posted earlier,  winbind can only manage uidNumber and gidNumber.

I've put our nslcd method here:
http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html
Will post the sssd solution sometime today.
HTH
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba4 rfc2307 practice and confuse

d tbsky
2013/4/15 steve <[hidden email]>

> Yes. To get the rfc2307 info out from the directory you can use winbind,
> nslcd or sssd on the client. If you want to get all of the rfc2307
> attributes on the DC, your choice is narrowed down to the latter two. As
> Geza posted earlier,  winbind can only manage uidNumber and gidNumber.
>
> I've put our nslcd method here:
> http://linuxcostablanca.**blogspot.com.es/2013/04/**
> ubuntu-client-for-samba4.html<http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html>
> Will post the sssd solution sometime today.
> HTH
> Steve
>

     I remeber that samba team suggest to use winbind instead of ldap to
work with samba server, although I don't know why or is it still true for
samba 4 DC. so what's the benefit of winbind?
    since RHEL 6 comes with sssd, I think maybe I will use that instead of
winbind. and thanks a lot for your information!!

Regards,
tbskyd
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba4 rfc2307 practice and confuse

Gémes Géza-2
2013-04-15 11:51 keltezéssel, d tbsky írta:

> 2013/4/15 steve <[hidden email]>
>
>> Yes. To get the rfc2307 info out from the directory you can use winbind,
>> nslcd or sssd on the client. If you want to get all of the rfc2307
>> attributes on the DC, your choice is narrowed down to the latter two. As
>> Geza posted earlier,  winbind can only manage uidNumber and gidNumber.
>>
>> I've put our nslcd method here:
>> http://linuxcostablanca.**blogspot.com.es/2013/04/**
>> ubuntu-client-for-samba4.html<http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html>
>> Will post the sssd solution sometime today.
>> HTH
>> Steve
>>
>       I remeber that samba team suggest to use winbind instead of ldap to
> work with samba server, although I don't know why or is it still true for
> samba 4 DC. so what's the benefit of winbind?
>      since RHEL 6 comes with sssd, I think maybe I will use that instead of
> winbind. and thanks a lot for your information!!
>
> Regards,
> tbskyd
Winbind strengths:

1. Caching (lot better than nscd)
2. Can get group membership (the SIDs) from PAC (less lookups on the DC)
3. No need for storing plaintext passwords in config files, or create
other user accounts than the machine account (created at join) and
storing their keytab.

Probably there are others too (as well as weaknesses)

Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba4 rfc2307 practice and confuse

Björn Jacke-3
On 2013-04-15 at 20:51 +0200 Gémes Géza sent off:
> 1. Caching (lot better than nscd)

actually I recommend running nscd when you have winbind running because nscd
caches it's stuff more efficient and it can prevent winbind to go crazy if
you have a lot of nsswitch operations like when you run rsync for example.

Cheers
Björn
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba4 rfc2307 practice and confuse

Eric26
Hi,

I thought that we should avoid using nscd with winbind ? Has it changed
with samba4 ?
I'm still wondering which has the best performance for a file server
between winbind, sssd and nslcd..

Cheers

 From :
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html

/Do not under any circumstances run //|nscd|//on any system on which
//|winbindd|//is running. //
//
//If //|nscd|//is running on the UNIX/Linux system, then even though
NSSWITCH is correctly configured, it will not be possible to resolve
domain users and groups for file and directory controls. /



Le 16/04/2013 15:34, Björn JACKE a écrit :
> On 2013-04-15 at 20:51 +0200 Gémes Géza sent off:
>> 1. Caching (lot better than nscd)
> actually I recommend running nscd when you have winbind running because nscd
> caches it's stuff more efficient and it can prevent winbind to go crazy if
> you have a lot of nsswitch operations like when you run rsync for example.
>
> Cheers
> Björn

Eric PEYREMORTE
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: samba4 rfc2307 practice and confuse

Eric26
In reply to this post by steve-2
Le 15/04/2013 11:31, steve a écrit :

> On 15/04/13 11:07, d tbsky wrote:
>>
>>     so you mean with samba 4 as DC and samba 3.x as winbind client,
>> you can
>> get correct rfc2307 gidnumber(and working getent group)?
> Yes. To get the rfc2307 info out from the directory you can use
> winbind, nslcd or sssd on the client. If you want to get all of the
> rfc2307 attributes on the DC, your choice is narrowed down to the
> latter two. As Geza posted earlier,  winbind can only manage uidNumber
> and gidNumber.

With a windows 2012 server and a samba 4.0.5 member i managed to get
homedirectory and loginshell from AD with idmap backend = ad and rfc2307

Just had to fill unixhomedirectory and loginshell in aduc.

>
> I've put our nslcd method here:
> http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html 
>
> Will post the sssd solution sometime today.
> HTH
> Steve
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...