Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients
On Thu, 2013-01-24 at 14:32 +0100, Fred F wrote: Thanks for your statement, Andrew. I know about winbind and we've used it in the past, but I remember there were some issues when dealing with POSIX ACLs and windbind. Now while winbind might work in some environments, I think it would be much nicer and cleaner to integrate Linux clients into a Samba AD domain with native Linux tools. The PAM part is very easy and works great already with Samba 4 and Linux clients using Kerberos. The only somewhat troublesome part is the NSS information (passwd/groups/shadow), which would also not really be an issue if Samba 4 properly implemented separation between users and groups in POSIX ACLs (#9521). This bug is closed as invalid for very good reason. There is not separation between users and groups in windows ACLs, once you have to handle groups owning files and SID History (users essentially becoming groups), and we have no choice but to match. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients
Thanks for your statement, Andrew. I know about winbind and we've used it in the past, but I remember there were some issues when dealing with POSIX ACLs and windbind. Now while winbind might work in some environments, I think it would be much nicer and cleaner to integrate Linux clients into a Samba AD domain with native Linux tools. The PAM part is very easy and works great already with Samba 4 and Linux clients using Kerberos. The only somewhat troublesome part is the NSS information (passwd/groups/shadow), which would also not really be an issue if Samba 4 properly implemented separation between users and groups in POSIX ACLs (#9521). I guess I'll take a second look at winbind then. Regards, Frederik 2013/1/24 Andrew Bartlett abart...@samba.org: On Wed, 2013-01-23 at 18:29 +0100, Fred F wrote: 2013/1/22 Gémes Géza g...@kzsdabas.hu: I don't agree, because users can be members of multiple groups, not just the group identified as their primary group Well, yes. That is not the point. Users can still be members of multiple groups (e.g. CN=Domain Admins,CN=Users,CN=DOMAIN), through the member attributes of the AD/LDAP nodes, but the actual issue here is that plain users do not show up in (CN=Domain Users,CN=Users,CN=DOMAIN), because Domain Users is set as the primary group directly. Additionally added groups show up on the Linux side as well, just not the primary group (with my approach). Any other thoughts? Isn't this scenario one of the most common usage scenarios ever? Serving both Windows and Linux? How come so little information is available about Samba4 with Linux clients? That is because there isn't anything special about Samba 4.0 as an AD DC with Linux clients that hasn't already been done for a Windows AD domain. The Samba Team recommends winbind as the AD client to use on Linux, because it handles these and many other details much better than just nss_ldap. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients
2013/1/22 Gémes Géza g...@kzsdabas.hu: I don't agree, because users can be members of multiple groups, not just the group identified as their primary group Well, yes. That is not the point. Users can still be members of multiple groups (e.g. CN=Domain Admins,CN=Users,CN=DOMAIN), through the member attributes of the AD/LDAP nodes, but the actual issue here is that plain users do not show up in (CN=Domain Users,CN=Users,CN=DOMAIN), because Domain Users is set as the primary group directly. Additionally added groups show up on the Linux side as well, just not the primary group (with my approach). Any other thoughts? Isn't this scenario one of the most common usage scenarios ever? Serving both Windows and Linux? How come so little information is available about Samba4 with Linux clients? Regards, Frederik -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients
On Wed, 2013-01-23 at 18:29 +0100, Fred F wrote: 2013/1/22 Gémes Géza g...@kzsdabas.hu: I don't agree, because users can be members of multiple groups, not just the group identified as their primary group Well, yes. That is not the point. Users can still be members of multiple groups (e.g. CN=Domain Admins,CN=Users,CN=DOMAIN), through the member attributes of the AD/LDAP nodes, but the actual issue here is that plain users do not show up in (CN=Domain Users,CN=Users,CN=DOMAIN), because Domain Users is set as the primary group directly. Additionally added groups show up on the Linux side as well, just not the primary group (with my approach). Any other thoughts? Isn't this scenario one of the most common usage scenarios ever? Serving both Windows and Linux? How come so little information is available about Samba4 with Linux clients? That is because there isn't anything special about Samba 4.0 as an AD DC with Linux clients that hasn't already been done for a Windows AD domain. The Samba Team recommends winbind as the AD client to use on Linux, because it handles these and many other details much better than just nss_ldap. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients
2013-01-22 15:52 keltezéssel, Fred F írta: Hi, I am still experimenting with Samba 4 and I'd like to serve both Windows and Linux clients with Samba (standalone AD server). The Windows-side is already working well. For serving Linux-clients I need to store the users' uidNumber and gidNumber in the Active Directory. This is how I do that: 1. Create a user test with samba-tool 2. Get the internal UID which was assigned to this user by Samba through wbinfo 3. Add the UID to CN=test,CN=Users,CN=DOMAIN as uidNumber 4. Add gidNumber=100 (Domain Users) to CN=test,CN=Users,CN=DOMAIN With the correct nss_ldap setup (mainly attribute mappings) the Linux boxes can now get their passwd/shadow/group information directly from AD. The Linux user now has the exact same attributes and groups as the Windows user. Now the issue is that Samba needs a group with the same gidNumber as the uidNumber for each user to work correctly in this setup (see why in #9521 [1]). The only logical way of doing that is storing this gidNumber as the user's primary group in the AD. This way the user loses the membership in the group Domain Users (gidNumber 100), though - at least on the Linux side. Are there any thoughts on how to solve this? Is this maybe a Samba issue or is my setup just wrong? Regards, Frederik [1] https://bugzilla.samba.org/show_bug.cgi?id=9521 I don't agree, because users can be members of multiple groups, not just the group identified as their primary group Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba