Zentyal Forum, Linux Small Business Server
Zentyal Server => Directory and Authentication => Topic started by: nickpiggott on August 28, 2019, 08:59:41 pm
-
I am running Zentyal 5.1, providing an Active Directory service. I can successfully join machines to the domain, and I have a number of users in the domain. They all have uidNumber and gidNumber entries in their LDAP records, and these are correctly mapped to the user ID and group IDs when the user logs into any of the Domain Controllers.
The server smb.conf contains
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
Problem: The user and group IDs that are allocated to users and groups are different when the user logs into a (non Domain Controller) machine joined to the domain.
Can anyone advise what I need to install and configure for the idmapping on the client machine to correctly use the uidNumber and gidNumber in the Active Directory?
I've followed a number of guides for enabling SSO with AD, and the official Samba guidance (https://wiki.samba.org/index.php/Idmap_config_ad) for idmap config ad. I can't find much documentation on how to use the idmap_ldb configuration on the client machine.
Thanks
-
I have found the solution.
1. Add in these lines into the relevant [domain] section of /etc/sssd/sssd.conf
id_provider = ad
access_provider = ad
ldap_id_mapping = false
enumerate = true
2. Stop SSSD with
sudo systemctl stop sssd
3. Clear the SSSD cache with
sudo rm -rf /var/lib/sss/db/*
4. Start SSSD again
sudo systemctl start sssd
5. Verify that the native uidNumber and gidNumber are showing
getent passwd
getent group
6. If the native ids are showing, edit the /etc/sssd/sssd.conf file to remove the enumerate = true line, and stop/start SSSD again.
You should not need to make any reference to winbind in smb.conf or idmap config in sssd.conf
-
:)
I see that you have done some major changes on Zentyal Samba4 implementation. I think this a really interesting option. Could you please tell me about this configuration?
Thank you!
-
I'm trying to create a harmonised experience for my users across a mixture of Microsoft Windows and Linux (Ubuntu) machines.
Using SMB to access files on the file server is a good experience in Windows (with automatic drive mapping at logon), but a poor experience on Linux. I'm preferring to use NFS for Linux workstations, using exports and mounting them natively, but to do that, the user and group ID numbers must be aligned across the whole network.
This configuration of SSSD on the workstations means the user id and group ids are the same on the workstation as the server, so access control is correctly applied across the NFS shares (and consistently in line with accessing the same files using SMB).
As a user, I don't notice any significant different between accessing my files using mapped drives in Windows or mounted in folders in Linux, which is my ambition.
-
Don't use sssd with Samba >= 4.8.0, they are incompatible.
From Samba 4.8.0, you must run winbind on a Unix domain member and you always have had to run winbind on a Samba AD DC.
sssd has its own version of thw winbind libs and these can interfere with the standard Samba ones, even Red-Hat is telling users not use sssd with Samba.
-
:)
Don't use sssd with Samba >= 4.8.0, they are incompatible.
From Samba 4.8.0, you must run winbind on a Unix domain member and you always have had to run winbind on a Samba AD DC.
sssd has its own version of thw winbind libs and these can interfere with the standard Samba ones, even Red-Hat is telling users not use sssd with Samba.
It isn't a problem in Zentyal 6.0.
sudo samba --version
Version 4.7.6-Ubuntu
cheers!
-
What, 4.7.6 ?
Hasn't anybody noticed that it is EOL, even more so when 4.11.0 is released (which is very imminent)
But as Zentyal is a Samba DC, it is still a problem, you shouldn't run sssd with winbind
-
:)
Zentyal uses the samba version released for Ubuntu.
Cheers!