Re: [Samba] samba4 rfc2307 practice and confuse

[Eric PEYREMORTE]

Le 15/04/2013 11:31, steve a écrit :

On 15/04/13 11:07, d tbsky wrote:


so you mean with samba 4 as DC and samba 3.x as winbind client, 
you can

get correct rfc2307 gidnumber(and working getent group)?
Yes. To get the rfc2307 info out from the directory you can use 
winbind, nslcd or sssd on the client. If you want to get all of the 
rfc2307 attributes on the DC, your choice is narrowed down to the 
latter two. As Geza posted earlier,  winbind can only manage uidNumber 
and gidNumber.


With a windows 2012 server and a samba 4.0.5 member i managed to get 
homedirectory and loginshell from AD with idmap backend = ad and rfc2307


Just had to fill unixhomedirectory and loginshell in aduc.



I've put our nslcd method here:
http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html 


Will post the sssd solution sometime today.
HTH
Steve




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 rfc2307 practice and confuse

[Eric PEYREMORTE]

Hi,

I thought that we should avoid using nscd with winbind ? Has it changed 
with samba4 ?
I'm still wondering which has the best performance for a file server 
between winbind, sssd and nslcd..


Cheers

From :
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html

/Do not under any circumstances run //|nscd|//on any system on which 
//|winbindd|//is running. //

//
//If //|nscd|//is running on the UNIX/Linux system, then even though 
NSSWITCH is correctly configured, it will not be possible to resolve 
domain users and groups for file and directory controls. /




Le 16/04/2013 15:34, Björn JACKE a écrit :

On 2013-04-15 at 20:51 +0200 Gémes Géza sent off:

1. Caching (lot better than nscd)

actually I recommend running nscd when you have winbind running because nscd
caches it's stuff more efficient and it can prevent winbind to go crazy if
you have a lot of nsswitch operations like when you run rsync for example.

Cheers
Björn


Eric PEYREMORTE
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 rfc2307 practice and confuse

[Björn JACKE]

On 2013-04-15 at 20:51 +0200 Gémes Géza sent off:
> 1. Caching (lot better than nscd)

actually I recommend running nscd when you have winbind running because nscd
caches it's stuff more efficient and it can prevent winbind to go crazy if
you have a lot of nsswitch operations like when you run rsync for example.

Cheers
Björn
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 rfc2307 practice and confuse

[Gémes Géza]

2013-04-15 11:51 keltezéssel, d tbsky írta:

2013/4/15 steve 


Yes. To get the rfc2307 info out from the directory you can use winbind,
nslcd or sssd on the client. If you want to get all of the rfc2307
attributes on the DC, your choice is narrowed down to the latter two. As
Geza posted earlier,  winbind can only manage uidNumber and gidNumber.

I've put our nslcd method here:
http://linuxcostablanca.**blogspot.com.es/2013/04/**
ubuntu-client-for-samba4.html
Will post the sssd solution sometime today.
HTH
Steve


  I remeber that samba team suggest to use winbind instead of ldap to
work with samba server, although I don't know why or is it still true for
samba 4 DC. so what's the benefit of winbind?
 since RHEL 6 comes with sssd, I think maybe I will use that instead of
winbind. and thanks a lot for your information!!

Regards,
tbskyd

Winbind strengths:

1. Caching (lot better than nscd)
2. Can get group membership (the SIDs) from PAC (less lookups on the DC)
3. No need for storing plaintext passwords in config files, or create 
other user accounts than the machine account (created at join) and 
storing their keytab.


Probably there are others too (as well as weaknesses)

Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 rfc2307 practice and confuse

[d tbsky]

2013/4/15 steve 

> Yes. To get the rfc2307 info out from the directory you can use winbind,
> nslcd or sssd on the client. If you want to get all of the rfc2307
> attributes on the DC, your choice is narrowed down to the latter two. As
> Geza posted earlier,  winbind can only manage uidNumber and gidNumber.
>
> I've put our nslcd method here:
> http://linuxcostablanca.**blogspot.com.es/2013/04/**
> ubuntu-client-for-samba4.html
> Will post the sssd solution sometime today.
> HTH
> Steve
>

 I remeber that samba team suggest to use winbind instead of ldap to
work with samba server, although I don't know why or is it still true for
samba 4 DC. so what's the benefit of winbind?
since RHEL 6 comes with sssd, I think maybe I will use that instead of
winbind. and thanks a lot for your information!!

Regards,
tbskyd
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 rfc2307 practice and confuse

[steve]

On 15/04/13 11:07, d tbsky wrote:


so you mean with samba 4 as DC and samba 3.x as winbind client, you can
get correct rfc2307 gidnumber(and working getent group)?
Yes. To get the rfc2307 info out from the directory you can use winbind, 
nslcd or sssd on the client. If you want to get all of the rfc2307 
attributes on the DC, your choice is narrowed down to the latter two. As 
Geza posted earlier,  winbind can only manage uidNumber and gidNumber.


I've put our nslcd method here:
http://linuxcostablanca.blogspot.com.es/2013/04/ubuntu-client-for-samba4.html
Will post the sssd solution sometime today.
HTH
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 rfc2307 practice and confuse

[d tbsky]

2013/4/14 Gémes Géza 

>
> Unfortunately the winbind implementation samba as an AD DC uses (the one
> in the samba binary) is not able to read other posix information from AD
> other than the uidNumber and gidNumber.


   I think I can live with that since we use it only for a few people. but
the broken
"template homedir"  seems a bug to me. or is it limited by something else
also?


> I have read many times complaints like this, it seems, that some
> distributions/relases bundle a version of samba, that has some bugs, a
> similar setup (just the ranges are different) works for me using ubuntu
> 12.04.
>

   so you mean with samba 4 as DC and samba 3.x as winbind client, you can
get correct rfc2307 gidnumber(and working getent group)?

   I don't think samba 3.x comes with RHEL has this kind of bug,since they
already have detailed document abount how to link to Active Directory. and
I also tried the lasted binary rpm at samba web site, the behavior is the
same.

I think the problem is at server side. I use microsoft remote
administration tool(ADUC) under windows 7 to managent the domain rfc2307
settings, I think maybe that's problem. since samba  minic microsoft AD,
use microsoft tool to manage it looks reasonable, even samba AC DC HOWTO
suggest it. but it seems few people in this email list use that tool?

   and today I found another interesting bug/featuer with windows ADUC. my
short domain name is "DOM", and if I create a group who's namd is "dom",
samba4 DC will be angry. the
"getent group" at samba4 DC will refuse to return this entry, and all the
entries created after that (has larger xidnumber) will also disappear. as
long as I rename the group to something else, "getent group" will become
normal.

since there are so many strange behaviors, I don't know what's the best
practice to treat samba 4 DC. but I am glad that at least some people in
the email list do have a working environment. maybe I can find out what's
my problem one day.

thanks a lot.

Regards,
tbskyd





>
> Geza Gemes
>
>>
>> Regards,
>> tbskyd
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 rfc2307 practice and confuse

[Gémes Géza]

2013-04-13 18:49 keltezéssel, d tbsky írta:

hi:
I setup a small samba 4.0.5 AD DC server. my client is windows 7 and
linux. and I use windows 7 with remote managment tools to manage rfc2307
account seetings of samba4 DC. I hope my users can use the same account to
use windows and linux.

   samba4 DC provsion command as below:
   samba-tool domain provision --use-rfc2307 --function-level=2008_R2
--interactive

and smb.conf global section for samba4 DC below:
 workgroup = DOM
 realm = AD.DOM.COM.TW
 netbios name = DC
 server role = active directory domain controller
 dns forwarder = 10.11.1.254
 idmap_ldb:use rfc2307 = yes
 template shell = /bin/bash
 winbind nss info = rfc2307

  under samba4 DC, with "getent passwd" command,the situation is below:
  1. the uid and gid are correct. "getent group" works.
  2. the shell and homedir is not correct. "winbind nss info = rfc2307" is
uselss, samba4 always use template for "shell" and "homedir". and even
worse, if I set "template homedir = /home/%U", the "%U" macro is ignored,
so everyone's homedir is just "/home/%U". however the default "/home/%D/%U"
is working if you didn't set any "template homdir".  so not setting any
"template homedir" is the only way you can get under samba4 DC.
Unfortunately the winbind implementation samba as an AD DC uses (the one 
in the samba binary) is not able to read other posix information from AD 
other than the uidNumber and gidNumber.

under other scientifc linux 6.4 workstation (comes with samba 3.6.9. I also
tried 3.6.13.):
the global section of smb.conf below:
workgroup = DOM
password server = DC.AD.DOM.COM.TW
realm = AD.DOM.COM.TW
security = ads
idmap config *:backend = tdb
idmap config *:range = 2001-3000
idmap config DOM:backend = ad
idmap config DOM:default = yes
idmap config DOM:range = 1000-2000
idmap config DOM:schema_mode = rfc2307
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

   situation below:
   1.uid,shell,home are correct from rfc2307. but gid is not.and "getent
group" never works.
   2. the gid comes from domain account's "primary group". so to make my
linux client work, I need to set a special domain group, set the group's
rfc2307 guid number(I set it to number 1000). and change every user's
primary group from "domain users" to the special domain group, then I can
get the correct "getent passwd".

   I search sambawiki and email-list, there is very little informatin about
rfc2307 (but many questions and confustion without reply in the email
list).so I post my experience here. and I wonder the strange behavior is
bug or feature. I wonder what is the original design idea to use rfc2307
under samba 4 domain?

  thanks for advice.
I have read many times complaints like this, it seems, that some 
distributions/relases bundle a version of samba, that has some bugs, a 
similar setup (just the ranges are different) works for me using ubuntu 
12.04.


Regards

Geza Gemes


Regards,
tbskyd


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4 rfc2307 practice and confuse

[d tbsky]

hi:
   I setup a small samba 4.0.5 AD DC server. my client is windows 7 and
linux. and I use windows 7 with remote managment tools to manage rfc2307
account seetings of samba4 DC. I hope my users can use the same account to
use windows and linux.

  samba4 DC provsion command as below:
  samba-tool domain provision --use-rfc2307 --function-level=2008_R2
--interactive

   and smb.conf global section for samba4 DC below:
workgroup = DOM
realm = AD.DOM.COM.TW
netbios name = DC
server role = active directory domain controller
dns forwarder = 10.11.1.254
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
winbind nss info = rfc2307

 under samba4 DC, with "getent passwd" command,the situation is below:
 1. the uid and gid are correct. "getent group" works.
 2. the shell and homedir is not correct. "winbind nss info = rfc2307" is
uselss, samba4 always use template for "shell" and "homedir". and even
worse, if I set "template homedir = /home/%U", the "%U" macro is ignored,
so everyone's homedir is just "/home/%U". however the default "/home/%D/%U"
is working if you didn't set any "template homdir".  so not setting any
"template homedir" is the only way you can get under samba4 DC.

under other scientifc linux 6.4 workstation (comes with samba 3.6.9. I also
tried 3.6.13.):
the global section of smb.conf below:
   workgroup = DOM
   password server = DC.AD.DOM.COM.TW
   realm = AD.DOM.COM.TW
   security = ads
   idmap config *:backend = tdb
   idmap config *:range = 2001-3000
   idmap config DOM:backend = ad
   idmap config DOM:default = yes
   idmap config DOM:range = 1000-2000
   idmap config DOM:schema_mode = rfc2307
   winbind nss info = rfc2307
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes

  situation below:
  1.uid,shell,home are correct from rfc2307. but gid is not.and "getent
group" never works.
  2. the gid comes from domain account's "primary group". so to make my
linux client work, I need to set a special domain group, set the group's
rfc2307 guid number(I set it to number 1000). and change every user's
primary group from "domain users" to the special domain group, then I can
get the correct "getent passwd".

  I search sambawiki and email-list, there is very little informatin about
rfc2307 (but many questions and confustion without reply in the email
list).so I post my experience here. and I wonder the strange behavior is
bug or feature. I wonder what is the original design idea to use rfc2307
under samba 4 domain?

 thanks for advice.

Regards,
tbskyd
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba