Author Topic: [SOLVED] Active Directory clients and user / group IDs  (Read 2330 times)

nickpiggott

  • Zen Apprentice
  • *
  • Posts: 23
  • Karma: +8/-0
    • View Profile
[SOLVED] Active Directory clients and user / group IDs
« on: August 28, 2019, 08:59:41 pm »
I am running Zentyal 5.1, providing an Active Directory service. I can successfully join machines to the domain, and I have a number of users in the domain. They all have uidNumber and gidNumber entries in their LDAP records, and these are correctly mapped to the user ID and group IDs when the user logs into any of the Domain Controllers.

The server smb.conf contains
Code: [Select]
    idmap_ldb:use rfc2307 = yes

    winbind enum users = yes
    winbind enum groups = yes
    template shell = /bin/bash
    template homedir = /home/%U

Problem: The user and group IDs that are allocated to users and groups are different when the user logs into a (non Domain Controller) machine joined to the domain.

Can anyone advise what I need to install and configure for the idmapping on the client machine to correctly use the uidNumber and gidNumber in the Active Directory?

I've followed a number of guides for enabling SSO with AD, and the official Samba guidance for idmap config ad. I can't find much documentation on how to use the idmap_ldb configuration on the client machine.

Thanks
« Last Edit: August 29, 2019, 12:26:15 pm by nickpiggott »

nickpiggott

  • Zen Apprentice
  • *
  • Posts: 23
  • Karma: +8/-0
    • View Profile
Re: Active Directory clients and user / group IDs
« Reply #1 on: August 29, 2019, 12:26:02 pm »
I have found the solution.

1. Add in these lines into the relevant [domain] section of /etc/sssd/sssd.conf
Code: [Select]
id_provider = ad
access_provider = ad
ldap_id_mapping = false
enumerate = true
2. Stop SSSD with
Code: [Select]
sudo systemctl stop sssd3. Clear the SSSD cache with
Code: [Select]
sudo rm -rf /var/lib/sss/db/*4. Start SSSD again
Code: [Select]
sudo systemctl start sssd5. Verify that the native uidNumber and gidNumber are showing
Code: [Select]
getent passwd
getent group
6. If the native ids are showing, edit the /etc/sssd/sssd.conf file to remove the enumerate = true line, and stop/start SSSD again.

You should not need to make any reference to winbind in smb.conf or idmap config in sssd.conf
« Last Edit: August 29, 2019, 12:28:18 pm by nickpiggott »

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: [SOLVED] Active Directory clients and user / group IDs
« Reply #2 on: September 05, 2019, 01:29:13 pm »
 :)

I see that you have done some major changes on Zentyal Samba4 implementation. I think this a really interesting option. Could you please tell me about this configuration?

Thank you!

- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

nickpiggott

  • Zen Apprentice
  • *
  • Posts: 23
  • Karma: +8/-0
    • View Profile
Re: [SOLVED] Active Directory clients and user / group IDs
« Reply #3 on: September 09, 2019, 08:55:49 am »
I'm trying to create a harmonised experience for my users across a mixture of Microsoft Windows and Linux (Ubuntu) machines.

Using SMB to access files on the file server is a good experience in Windows (with automatic drive mapping at logon), but a poor experience on Linux. I'm preferring to use NFS for Linux workstations, using exports and mounting them natively, but to do that, the user and group ID numbers must be aligned across the whole network.

This configuration of SSSD on the workstations means the user id and group ids are the same on the workstation as the server, so access control is correctly applied across the NFS shares (and consistently in line with accessing the same files using SMB).

As a user, I don't notice any significant different between accessing my files using mapped drives in Windows or mounted in folders in Linux, which is my ambition.

hortimech1

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: [SOLVED] Active Directory clients and user / group IDs
« Reply #4 on: September 13, 2019, 11:22:47 am »
Don't use sssd with Samba >= 4.8.0, they are incompatible.
From Samba 4.8.0, you must run winbind on a Unix domain member and you always have had to run winbind on a Samba AD DC.
sssd has its own version of thw winbind libs and these can interfere with the standard Samba ones, even Red-Hat is telling users not use sssd with Samba.

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: [SOLVED] Active Directory clients and user / group IDs
« Reply #5 on: September 13, 2019, 01:40:28 pm »
 :)

Don't use sssd with Samba >= 4.8.0, they are incompatible.
From Samba 4.8.0, you must run winbind on a Unix domain member and you always have had to run winbind on a Samba AD DC.
sssd has its own version of thw winbind libs and these can interfere with the standard Samba ones, even Red-Hat is telling users not use sssd with Samba.


It isn't a problem in Zentyal 6.0.

Code: [Select]
sudo samba --version
Version 4.7.6-Ubuntu

cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

hortimech1

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: [SOLVED] Active Directory clients and user / group IDs
« Reply #6 on: September 13, 2019, 07:59:09 pm »
What, 4.7.6 ?
Hasn't anybody noticed that it is EOL, even more so when 4.11.0 is released (which is very imminent)
But as Zentyal is a Samba DC, it is still a problem, you shouldn't run sssd with winbind

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: [SOLVED] Active Directory clients and user / group IDs
« Reply #7 on: December 13, 2019, 03:06:14 pm »
 :)

Zentyal uses the samba version released for Ubuntu.

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,