2011-09-20 23:16 keltezéssel, Jim Stalewski írta: >>> Greetings, >>> >>> I have had Samba/Winbind/Kerberos single-sign-on authentication >>> working for a few years now, for a single domain, and it >> works great. >>> It pulls the RFC2307 populated attributes just like you'd >> expect, and >>> people get the IDs mapped according to their attributes in AD. >>> >>> This works for version 3.2.7 and 3.4.3. I had to give the domain's >>> Domain Users group a gid in the range of the idmap config range in >>> order for it to work in 3.4.3 because for some unexplained >> reason, you >>> have to be a member of domain users in order for winbind to >> even look >>> at your >>> rfc2307 attributes, but that's another complaint/bug/"feature." >>> >>> I have tried it with 3.5x and 3.6.0, and can't get it to work no >>> matter how I tweak smb.conf. >>> >>> I am in a multi-domain AD forest, in a child domain. I need to be >>> able to give the same single sign-on access to people that >> live in the >>> parent domain as well as the peer domain, and since AD has >> the whole >>> transitive trust thing, there should be no trust issues. >>> >>> I can list all of the users in each domain and all of the groups in >>> each domain, by issuing wbinfo -u or wbinfo -g, so Winbind, through >>> whatever mechanism it uses, can see all of them. >>> >>> However, to look at the RFC2307 attributes to determine >> whether or not >>> they should be enumerated with getent group or getent passwd, it >>> appears the idmap_ad process uses LDAP lookup on the authentication >>> server to find whether the rfc2307 attributes have been >> populated. I >>> don't know if this is the problem or not, but some observations: >>> >>> LDAP access to AD, when done on the LDAP port 389, will >> automatically >>> set the search base to the domain. This precludes any lookup of >>> people not in that domain. >>> >>> The lookup that is done is done against whatever AD server >> answers the >>> knock on the door, whether it has a replica of the Global >> Catalog or >>> not, so if by luck of the draw your domain's Infrastructure >> master is >>> used as the authentication server, there's no GC to look >> against, even >>> if Winbind didn't default to port 389 and looked at port >> 3268 (the GC >>> port) to do its idmap lookup. >>> >>> So, given those observations, exactly how would someone configure >>> Samba/Winbind to do SSO authentication using AD RFC2307 in a >>> multi-domain parent/child domain AD forest such that you could have >>> people authenticating from the Samba server's domain as well as the >>> other trusted domains in the forest? >>> >>> I have made sure that the GC included attributes have the necessary >>> RFC2307 attributes included. They're not by default so you have to >>> make sure they do get populated into the GC (at least >> according to the >>> idmap_adex man page) >>> >>> Speaking of which, I tried using idmap_adex with 3.5x and >> 3.6.0, but >>> although the users/groups enumerate just fine with wbinfo, I am not >>> getting any idmapping through NSS. I have seen comments that >>> idmap_adex' features were being rolled into idmap_ad (no >> need to have >>> more than one idmap for a given infrastructure) but no word >> as to when >>> that will happen for Samba 3, if at all, or what us poor >>> multi-domain-forest suckers like me are supposed to do in >> the meantime. >>> Thanks, >>> >>> Jim. >>> >>> >>> >> You could try to switch to idmap_adex which was created >> explicitly to answer the multidomain forest problem. Please >> read >> http://www.samba.org/samba/docs/man/manpages-3/idmap_adex.8.ht >> ml before trying to deploy as it needs schema modifications >> for AD: "Note that you must add the uidNumber, gidNumber, and >> uid attributes to the partial attribute set of the forest >> global catalog servers. This can be done using the Active >> Directory Schema Management MMC plugin (schmmgmt.dll).". >> >> Good Luck! >> >> Geza >> > Geza, > > Thanks for the quick response, but I have already tried idmap_adex, and as I > stated already, we have already added the rfc2307 attributes to the GC > partial attribute set per the idmap_adex man page. > > It's not a schema change, by the way - the Windows 2003R2 AD schema already > has the RFC2307 attributes. What has to change is that those attributes have > to be included in the Global Catalog, as they are not included there by > default. The Partial Attribute Set is the subset of the full set of > attributes defined in the AD schema, which are populated into the GC, to > reduce the sheer size and volume of data the GC holds. Anyway... > > That doesn't seem to help any when the LDAP lookup is using port 389 and not > port 3268, and the lookup is done against the DC that has the Infrastructure > role (because Winbind decided to use that DC as the auth server), and > therefor no copy of the GC would be available for the IDMAP_AD or IDMAP_ADEX > lookup, even if the GC port were to be used. > > Can anyone recommend a specific way to configure a multi-domain > parent-child-domain forest using idmap_ad, where the RFC2307 attributes will > be used to IDMAP the UID/GID to the user/group? I'd try idmap_adex again, > but since all indications are that idmap_adex doesn't seem to work in this > scenario, and is not long for this world anyway, I'd like to know how it's > supposed to be done using idmap_ad. That doesn't appear to be documented > anywhere. > > Thanks, > > Jim. > > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. If > you have received this email in error please notify the sender and delete it. > Please note that any views or opinions presented in this email are solely > those of the author and do not necessarily represent those of the company. > No employee or agent is authorized to conclude any binding agreement on > behalf of Visa Lighting with another party by email without express written > confirmation by an authorized representative of the Company. > Finally, the recipient should check this email and any attachments for the > presence of viruses. The company accepts no liability for any damage caused > by any virus transmitted by this email. > > > Hi,
Are you sure, that idmap_adex doesn't lookup the GC instead of a plain (port 389) ldap querry? I would recommend running a wireshark trace in that case. Cheers Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
