Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Samba 4 userid mapping

  1. #1

    Default Samba 4 userid mapping

    Complete new user here. Setting up my first samba configuration, using samba 4.0.6 as a primary domain controller. I have user profiles, network shares, active directory, and domain controller working. But I can not understand how to map windows userid to linux userid (and map groupid as well). I am struggling because much of the documentation is outdated and meant for samba 3.x or targetted for samba as a domain member. I followed some documentation to try the userid mapping through active directory, but that required Microsoft services for Unix 3.5, which will not install on 64 versions of MS. I find myself without any orientation of how to proceed.

    I am suffering from documentation overload, much of it contradictory or not applicable. I am not even sure how to use winbind, or if that is required for my situation. I really need a simple step by step howto that is specific to samba 4 as a PDC. If you want to reference documentation, great, but please reference specific sections instead of whole general chapters. Any help greatly appreciated. Thank you.

    Configuration information follows:

    Server
    --------------------------------
    OS: OpenSuSE 12.1, 64 bit
    Samba: Samba 4.0.6
    Configuration: Primary domain controller with active directory support
    Using BIND 9 DNS server
    --------------------------------

    Client
    --------------------------------
    OS: Windows 7 Professional, 64 bit
    --------------------------------

    Samba configuration file

    --------------------------------
    Code:
    # Global parameters
    
     [global]
         workgroup = MYDOMAIN
         realm = MYDOMAIN.ORG
         netbios name = SERVER
         wins support = Yes
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
         encrypt passwords = yes
      # Setup user maps
         idmap config * : backend = tdb
         idmap config * : range = 100000-199999
         idmap config MYDOMAIN : backend = ad
         idmap config MYDOMAIN : schema_mode = rfc2307
         idmap config MYDOMAIN : range = 50000-99999
          winbind nss info = rfc2307
         winbind trusted domains only = No
         winbind use default domain = Yes
         winbind enum users = Yes
         winbind enum groups = Yes
    # Logon path tells samba where to put Windows roaming profiles
         logon path = \\%h\profiles\%u
       # Logon home is used to specify home directory and 
         # Windows 95/98/ME roaming profile location
         logon home = \\%h\%u\.win_profiles
          # Allow Samba to send correct time to windows
         time server = Yes
    
          # Set logging options
         log file = /var/log/samba/log.odeon
    # Shares configurations follows.  Not included for brevity . . . 
    --------------------------------

  2. #2
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: Samba 4 userid mapping

    On 7/10/2013 8:26 AM, nickninevah wrote:
    >
    > Complete new user here. Setting up my first samba configuration, using
    > samba 4.0.6 as a primary domain controller. I have user profiles,
    > network shares, active directory, and domain controller working. But I
    > can not understand how to map windows userid to linux userid (and map
    > groupid as well). I am struggling because much of the documentation is
    > outdated and meant for samba 3.x or targetted for samba as a domain
    > member. I followed some documentation to try the userid mapping
    > through active directory, but that required Microsoft services for Unix
    > 3.5, which will not install on 64 versions of MS. I find myself
    > without any orientation of how to proceed.
    >
    > I am suffering from documentation overload, much of it contradictory
    > or not applicable. I am not even sure how to use winbind, or if that
    > is required for my situation. I really need a simple step by step
    > howto that is specific to samba 4 as a PDC. If you want to reference
    > documentation, great, but please reference specific sections instead of
    > whole general chapters. Any help greatly appreciated. Thank you.

    -
    >

    nickninevah;

    AFAIK, unlike Samba3, there is no need to map Windows GID to Unix UID with Samba4. See:

    http://wiki.samba.org/index.php/Addi...ith_samba_tool

    I don't think there are very many on this forum that have a lot of experience with setting up a Samba 4 AD. So although you appear
    to dislike reading, you would still benefit from reading:

    http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

  3. #3

    Default Re: Samba 4 userid mapping

    Dislike reading? I will ignore the insult and instead choose to post what I have learned to make userid mapping work successfully and get roaming profiles to work.

    The two references I found most helpful were:

    https://lists.samba.org/archive/samb...ry/160518.html

    https://wiki.samba.org/index.php/Add...ith_samba_tool

    As the wiki articles pointed out, id mapping is now handled as part of Samba's internal LDAP database. To access the entry for the user, you need the user's sid under windows.

    Code:
    $installdir = wherever you installed samba, probably /usr/local/samba
    $username = the name of the user you have already created in active directory.
    
    $installdir/bin/wbinfo -n $username
    This will return the user's sid. Now use that to change the userid map. I created a custom script called usermap for this and added it to the samba/bin directory

    Code:
    EDITOR_BIN=/usr/bin/nano
    SAMBA_DB=/usr/local/samba/private/idmap.ldb
    LDBPATH=/usr/local/samba/bin/ldbedit
    
    ${LDBPATH} -e ${EDITOR_BIN} -H ${SAMBA_DB} objectsid=${1}
    You would execute this script as:

    Code:
    $installdir/bin/usermap users_sid
    Where users_sid is the sid you just got from wbinfo.

    You job isn't done yet. Now you need to also map the group for the user. Easiest way to do this is:

    Code:
    $installdir/bin/wbinfo --user-sids users_sid
    That will give you two sids. The first one belongs to the user. The second one is the user's group. Repeat the usermap exercise with the group sid and map that to an appropriate group on your linux domain.

  4. #4

    Default Re: Samba 4 userid mapping

    Now to discuss how to do all of this and get roaming profiles to work.

    On the linux side, create a directory that will store your roaming profiles. Directory should be owned by root:root and have permissions 770. Setup your samba config to share this out as the [profiles] share.

    First, you will need to go through the entire mapping process with all groups on the windows domain. Ensure they all have matching groups on the linux domain with useful permissions to create profiles in wherever you store the profile directory.

    You can learn how to use wbinfo for this from the samba help file

    wbinfo

    I'll just use wbinfo as a shortened alias. But wbinfo is actually

    Code:
    INSTALL_DIR=wherever you installed samba 4
    $INSTALL_DIR/bin/wbinfo
    To get groups, use

    Code:
    wbinfo --group-info group
    That gives you group id's on the linux side. Then convert those to windows sids with

    Code:
    wbinfo --gid-to-sid
    Once you have the sid, use the usermap function I defined in the previous post to map the account to an appropriate linux group id. Repeat this for every windows group.


    Now the fun part begins. Follow this exact sequence to ensure roaming profiles work.

    1.) Create the user in active directory. DO NOT ASSIGN A PROFILE PATH YET.
    2.) Login that user once. I found this necessary to create the initial user entry for id-mapping in linux.
    3.) Logout the user.
    4.) Go to linux side and map the user sid to the linux uid as described in the previous post.
    5.) Login to windows and domain admin, use active directory to assign the user a roaming profile directory.
    6.) Logout of domain admin.
    7.) Now login as the user. It should automatically create a directory for the users profile using the linux username and group name from the id-mapping you setup.


    Hope that helps someone.

  5. #5
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: Samba 4 userid mapping

    On 7/18/2013 12:46 AM, nickninevah wrote:
    >
    > Dislike reading? I will ignore the insult and instead choose to post
    > what I have learned to make userid mapping work successfully and get
    > roaming profiles to work.
    >
    > The two references I found most helpful were:
    >
    > https://lists.samba.org/archive/samb...ry/160518.html
    >
    > https://wiki.samba.org/index.php/Add...ith_samba_tool
    >

    <snip>
    >

    Thank you for posting this information. I did not intend to insult you just give you the "Samba AD DC HOWTO", which was counter
    to your explicit request.



    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

  6. #6

    Default Re: Samba 4 userid mapping

    My mistake. Sorry for the rude reply. Hopefully we can do a little more knowledge sharing. Mostly, I'm frustrated because all the guides I have found so far are for samba 3, not samba 4. And much of the reading material I come across (such as the official samba guide) provides extensive descriptions about how impressive the features for samba are. And plenty of description on the configuration file options. But the organization and description for the utilities (such as net groupmap) left me confused.

    Which leads me to my latest problem. With my user id mapping now successful, I can see my samba shares. But I don't have write permission to every folder in the share. First, the details of the setup.

    Samba configuration file
    Code:
    [global]
            # Domain Controller Options
            # ============================================================
            workgroup = VAHALLA
            realm = VAHALLA.ORG
            netbios name = ODEON
            wins support = Yes
            server role = active directory domain controller
            server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
            encrypt passwords = yes
    
            # Security Options
            # ============================================================
            hosts allow = 127.0.0.1 192.168.1.0/24
            hosts deny = 0.0.0.0/0
            security = user
    
            # WinBind Options
            # ============================================================
            #winbind nss info = rfc2307
            #winbind trusted domains only = No
            #winbind use default domain = Yes
            #winbind enum users = Yes
            #winbind enum groups = Yes
    
            # Logon path tells samba where to put Windows roaming profiles
            logon path = \\%h\profiles\%u
    
            # logon drive = H:
    
            # Logon home is used to specify home directory and 
            # Windows 95/98/ME roaming profile location
            logon home = \\%h\%u\.win_profiles
    
            # Allow Samba to send correct time to windows
            time server = Yes
    
            # Set logging options
            log file = /var/log/samba/log.odeon
    
            # Other Global Options
            # ===========================================================
            hide dot files = Yes
    
    [netlogon]
            path = /usr/local/samba/var/locks/sysvol/vahalla.org/scripts
            # read only = No
            writeable = Yes
            comment = Logon Scripts
            volume = LOGON SCRIPTS
    
    [sysvol]
            path = /usr/local/samba/var/locks/sysvol
            # read only = No
            writeable = Yes
            comment = SysAdmin Scripts
            volume = SYSADMIN SCRIPTS
    
    [homes]
            path = /export/home/%u
            # read only = No
            writeable = Yes
            comment = User Home Directory
            volume = USER DIRECTORY
            browsable = no
            inherit acls = Yes
            # valid users = %u
            # valid users = VAHALLA\%U
    
    [profiles]
            path = /export/win_profiles/
            browsable = No
            read only = No
            profile acls = Yes
            create mask = 0600
            directory mask = 0700
            comment = User Profiles
            volume = PROFILES
    
    [Shared]
            path = /export/home
            read only = No
            comment = User Home Directories
            volume = HOME DIRECTORIES
            browseable = Yes
            hide files = /*.ini/
            inherit acls = Yes
            # valid users = @ntuser
            # write list = @ntuser
    
    [Public]
            path = /export/home/public
            read only = No
            comment = Share information
            volume = PUBLIC
            browseable = Yes
            hide files = /*.ini/
            inherit acls = Yes
    
    [printers]
            comment = All Printers
            path = /var/tmp
            printable = Yes
            create mask = 0600
            browseable = No
    From the commented out options, you can see I have experimented with a few things. I also setup group mapping. Here are my current group maps.

    Code:
    odeon:/etc/samba # net groupmap list
    Domain Guests (S-1-5-21-1480406318-1800422186-3920511979-1004) -> nobody
    Domain Users (S-1-5-21-1480406318-1800422186-3920511979-1000) -> ntusers
    Domain Admins (S-1-5-21-1480406318-1800422186-3920511979-1003) -> root
    The group ntusers is an LDAP group that I use on the linux side for network wide permissions of all users. (It's a home network with 2 users. No need for fine segregation.)

    And here is my nsswitch.conf
    Code:
    odeon:/etc # cat nsswitch.conf
    #
    # /etc/nsswitch.conf
    #
    # An example Name Service Switch config file. This file should be
    # sorted with the most-used services at the beginning.
    #
    # The entry '[NOTFOUND=return]' means that the search for an
    # entry should stop if the search in the previous entry turned
    # up nothing. Note that if the search failed due to some other reason
    # (like no NIS server responding) then the search continues with the
    # next entry.
    #
    # Legal entries are:
    #
    #       compat                  Use compatibility setup
    #       nisplus                 Use NIS+ (NIS version 3)
    #       nis                     Use NIS (NIS version 2), also called YP
    #       dns                     Use DNS (Domain Name Service)
    #       files                   Use the local files
    #       [NOTFOUND=return]       Stop searching if not found so far
    #
    # For more information, please read the nsswitch.conf.5 manual page.
    #
    
    # passwd: files nis
    # shadow: files nis
    # group:  files nis
    
    passwd: compat sss
    group:  files sss
    
    hosts:  files mdns4_minimal [NOTFOUND=return] dns wins
    networks:       files dns
    
    services:       files
    protocols:      files
    rpc:    files
    ethers: files
    netmasks:       files
    netgroup:       files
    publickey:      files
    
    bootparams:     files
    automount:      files nis ldap
    aliases:        files
    Now here is the problem: When I examine the shares on the windows side, I can see that the top level folder has the group "Domain Users" with full control permissions, which is what I wanted. But those permissions do not propagate down to any subfolders. All the subfolders and files do not have any permissions entry for "Domain Users". I know some will tell me that samba only sets permission for the top level folders. But I set the linux permissions so that all subfolders should be readable, if I understand correctly.

    Folder permissions of the share [public]

    Code:
    odeon:/export/home/public # l
    total 44
    drwxrwxr-x+   7 root ntusers  4096 Jul 24 16:45 ./
    drwxr-xr-x+   6 root root     4096 Jul 23 22:08 ../
    drwxrwx---   12 root ntusers  4096 Jun 15 12:28 Documents/
    drwxrwxr-x  187 root ntusers 12288 May 29 06:34 Music/
    drwxrwxr-x   16 root ntusers  4096 Apr 21 17:00 Pictures/
    drwxrwxr-x   10 root ntusers  4096 Nov 11  2012 System Software/
    drwxrwxr-x    3 root ntusers  4096 Mar 18  2012 Videos/
    From what I understand, since all folders are owned by group ntusers, and the group Domain Users maps to ntusers, then any windows user which is a member of Domain Users should have full control over the files in this share. But it is only the root folder that even registers Domain Users as a group.

    The one hint I have to this is that when I examine the share permissions on the windows side, there are some unresolved SID account numbers. My permissions look like this:

    Group or Username
    Full Control
    Modify
    Read &Execute
    List Contents
    Read
    Write
    Special Permissions
    Everyone X X X
    S-1-22-1-1001 X
    S-1-22-2-1000 X
    CREATOR OWNER X
    CREATOR GROUP X










    The file is owned by S-1-22-1-1001. The odd part is the SID. I don't recognize those SID numbers. They aren't even from the samba domain, because they are completely different at the beginning of the string. My best guess has been that these SID's relate to the local linux system. All my users on windows (through samba) system mapp to LDAP users on the linux system. I have two LDAP servers running. Samba's internal AD LDAP runs on ports 389 and 636. Linux LDAP runs on ports 390 and 637. So far they haven't interfered with each other. But I wonder if windows is somehow reading from the linux LDAP. Or if it is somehow related to the problem that my LDAP users are not local user accounts.

    I'll take any ideas. I'd settle just for an explanation of tools that I can use to track down these mystery SID numbers and do something about them.

  7. #7
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: Samba 4 userid mapping

    On 7/24/2013 9:16 PM, nickninevah wrote:
    >
    > My mistake. Sorry for the rude reply. Hopefully we can do a little
    > more knowledge sharing. Mostly, I'm frustrated because all the guides I
    > have found so far are for samba 3, not samba 4. And much of the reading
    > material I come across (such as the official samba guide) provides
    > extensive descriptions about how impressive the features for samba are.
    > And plenty of description on the configuration file options. But the
    > organization and description for the utilities (such as net groupmap)
    > left me confused.
    >
    > Which leads me to my latest problem. With my user id mapping now
    > successful, I can see my samba shares. But I don't have write
    > permission to every folder in the share. First, the details of the
    > setup.

    <snip>
    >
    > The file is owned by S-1-22-1-1001. The odd part is the SID. I don't
    > recognize those SID numbers. They aren't even from the samba domain,
    > because they are completely different at the beginning of the string.
    > My best guess has been that these SID's relate to the local linux
    > system. All my users on windows (through samba) system mapp to LDAP
    > users on the linux system. I have two LDAP servers running. Samba's
    > internal AD LDAP runs on ports 389 and 636. Linux LDAP runs on ports
    > 390 and 637. So far they haven't interfered with each other. But I
    > wonder if windows is somehow reading from the linux LDAP. Or if it is
    > somehow related to the problem that my LDAP users are not local user
    > accounts.
    >
    > I'll take any ideas. I'd settle just for an explanation of tools that
    > I can use to track down these mystery SID numbers and do something about
    > them.
    >
    >

    nickninevah;

    Let me start by saying that I do not have a great deal of experience with Samba4. With that in mind let me comment on the share
    permissions. AFAIK Samba4 uses ACLs for permission and recommends setting the permissions from a Windows machine using a user
    with "SeDiskOperatorPrivilege". See:

    http://wiki.samba.org/index.php/Setu...re_file_shares

    I'm not sure about Samba4, but in later Samba3 releases the SID S-1-22-1-X was assigned to unmapped users where X is the NIX UID.

    As you are one of the pioneers on this forum using Samba4, please keep us posted.

    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

  8. #8
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: Samba 4 userid mapping

    On 7/24/2013 11:35 PM, PV wrote:


    EDIT:

    Quote Originally Posted by nickninevah
    Now here is the problem: When I examine the shares on the windows
    side, I can see that the top level folder has the group "Domain Users"
    with full control permissions, which is what I wanted. But those
    permissions do not propagate down to any subfolders. All the subfolders
    and files do not have any permissions entry for "Domain Users". I know
    some will tell me that samba only sets permission for the top level
    folders. But I set the linux permissions so that all subfolders should
    be readable, if I understand correctly.
    Have you set the setgid bit on the directories?
    Code:
    su -
    chmod g+s <path to directory>
    exit
    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

  9. #9

    Default Re: Samba 4 userid mapping

    Thanks for the info. I'll give it a try and let you know what happens. Once I get samba up and running, I do plan to write a full howto guide with a full list of references that I used. I am at the point right now where I can get a fully functional samba 4 server that only serves windows clients and users. Right now I'm working on the user mapping between samba and linux.

  10. #10

    Default Re: Samba 4 userid mapping

    I finished working on Samba 4.0. I wrote all my experiences into a single document. Since I can't add attachments to this post, I uploaded the files to a github repository. You can access it here:

    https://github.com/nickninevah/Samba4Doc.git

    It turns out that POSIX to ACL mapping is not possible in Samba 4.0 right now. They made a major shift in the underlying architecture for Samba 4.0, and the new architecture doesn't quite work yet.

    If you don't need to share files between windows and linux, Samba 4.0 works great. It maintains an independent set of file permissions strictly for the windows side. If you have an all windows user environment, Samba 4.0 can be a great replacement for WIndows Server 2008. I'm sure it misses some of the more advanced features. But it definitely supports active directory and group policies.

    Although, I would wait at least another 6 months before starting any work on Samba 4.0. Much of the documentation that I used for the install was still being re-written in the last few days. And there are a few added pieces that I wish I knew when I started. My advice: waiting until things stabilize more. Hopefully by then, they will have also implemented POSIX to ACL mapping. And Samba 4.0 will be absolutely awesome!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •