From 70fa3ff473d4023b179d70ad71e2c36b328079c5 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Fri, 10 Jun 2005 19:25:20 +0000 Subject: A progress update - more to be fixed. (This used to be commit be3793e40199e268499f3494e64e3e98dfa4766a) --- docs/Samba-Guide/SBE-AddingUNIXClients.xml | 347 ++++++++++++----------------- 1 file changed, 139 insertions(+), 208 deletions(-) diff --git a/docs/Samba-Guide/SBE-AddingUNIXClients.xml b/docs/Samba-Guide/SBE-AddingUNIXClients.xml index 28311f0a9a..8950cdb714 100644 --- a/docs/Samba-Guide/SBE-AddingUNIXClients.xml +++ b/docs/Samba-Guide/SBE-AddingUNIXClients.xml @@ -190,41 +190,32 @@ casual user. - - winbind enable local accounts - - Domain Member - servers - - Domain Controllers - + + winbind enable local accounts + Domain Memberservers + Domain Controllers If you wish to make use of accounts (users and/or groups) that are local to (i.e., capable of being resolved using) the NSS facility, it is imperative to use the Yes in the &smb.conf; file. This parameter specifically applies only to domain controllers, not to domain member servers. + - - Posix accounts - - Samba accounts - - LDAP - + + Posix accounts + Samba accounts + LDAP For many administrators, it should be plain that the use of an LDAP-based repository for all network accounts (both for POSIX accounts and for Samba accounts) provides the most elegant and controllable facility. You eventually appreciate the decision to use LDAP. - - nss_ldap - - identifiers - - resolve - + + nss_ldap + identifiers + resolve If your network account information resides in an LDAP repository, you should use it ahead of any alternative method. This means that if it is humanly possible to use the nss_ldap tools to resolve UNIX account UIDs/GIDs via LDAP, this is the preferred solution, because it provides @@ -232,20 +223,13 @@ throughout the network. - - Domain Member - server - - winbind trusted domains only - - getpwnam - - smbd - - Trusted Domains - - External Domains - + + Domain Memberserver + winbind trusted domains only + getpwnam + smbd + Trusted Domains + External Domains In the situation where UNIX accounts are held on the domain member server itself, the only effective way to use them involves the &smb.conf; entry Yes. This forces @@ -254,17 +238,12 @@ disables the use of Samba with trusted domains (i.e., external domains). - - appliance mode - - Domain Member - server - - winbindd - - automatically allocate - - Winbind can be used to create an appliance mode domain member server. In this capacity, winbindd + + appliance mode + Domain Memberserver + winbindd + automatically allocate + Winbind can be used to create an appliance mode domain member server. In this capacity, winbindd is configured to automatically allocate UIDs/GIDs from numeric ranges set in the &smb.conf; file. The allocation is made for all accounts that connect to that domain member server, whether within its own domain or from trusted domains. If not stored in an LDAP backend, each domain member maintains its own unique mapping database. @@ -273,9 +252,8 @@ is stored in the winbindd_idmap.tdb and winbindd_cache.tdb files. - - mapping - + + mapping The use of an LDAP backend for the Winbind IDMAP facility permits Windows domain SIDs mappings to UIDs/GIDs to be stored centrally. The result is a consistent mapping across all domain member servers so configured. This solves one of the major headaches for network administrators who need to copy @@ -287,16 +265,11 @@ Political Issues - - OpenLDAP - - NIS - - yellow pages - NIS - - identity management - + + OpenLDAP + NIS + yellow pagesNIS + identity management One of the most fierce conflicts recently being waged is resistance to the adoption of LDAP, in particular OpenLDAP, as a replacement for UNIX NIS (previously called Yellow Pages). Let's face it, LDAP is different and requires a new approach to the need for a better identity management solution. The more @@ -311,11 +284,9 @@ commercial integration products. But it's not what Active Directory was designed for. - - directory - - management - + + directory + management A number of long-term UNIX devotees have recently commented in various communications that the Samba Team is the first application group to almost force network administrators to use LDAP. It should be pointed out that we resisted this for as long as we could. It is not out of laziness or malice that LDAP has @@ -330,25 +301,18 @@ Implementation - - Domain Member - server - - Domain Member - client - - Domain Controller - + + Domain Memberserver + Domain Memberclient + Domain Controller The domain member server and the domain member client are at the center of focus in this chapter. Configuration of Samba-3 domain controller is covered in earlier chapters, so if your interest is in domain controller configuration, you will not find that here. You will find good oil that helps you to add domain member servers and clients. - - Domain Member - workstations - + + Domain Memberworkstations In practice, domain member servers and domain member workstations are very different entities, but in terms of technology they share similar core infrastructure. A technologist would argue that servers and workstations are identical. Many users would argue otherwise, given that in a well-disciplined @@ -357,22 +321,18 @@ but a server is viewed as a core component of the business. - - workstation - + + workstation We can look at this another way. If a workstation breaks down, one user is affected, but if a server breaks down, hundreds of users may not be able to work. The services that a workstation must provide are document- and file-production oriented; a server provides information storage and is distribution oriented. - - authentication process - - logon process - - user identities - + + authentication process + logon process + user identities Why is this important? For starters, we must identify what components of the operating system and its environment must be configured. Also, it is necessary to recognize where the interdependencies between the various services to be used are. @@ -388,52 +348,52 @@ - Samba Domain with Samba Domain Member Server &smbmdash; Using LDAP + Samba Domain with Samba Domain Member Server &smbmdash; Using NSS LDAP - - ldapsam - - ldapsam backend - - IDMAP - - mapping - consistent - - winbindd - - foreign SID - + + ldapsam + ldapsam backend + IDMAP + mappingconsistent + winbindd + foreign SID In this example, it is assumed that you have Samba PDC/BDC servers. This means you are using an LDAP ldapsam backend. We are adding to the LDAP backend database (directory) containers for use by the IDMAP facility. This makes it possible to have globally consistent - mapping of SIDs to and from UIDs and GIDs. This means that you are running winbindd - as part of your configuration. The primary purpose of running winbindd (within - this operational context) is to permit mapping of foreign SIDs (those not originating from our - own domain). Foreign SIDs can come from any external domain or from Windows clients that do not - belong to a domain. + mapping of SIDs to and from UIDs and GIDs. This means that it is necessary to run + winbindd as part of your configuration. The primary purpose of running + winbindd (within this operational context) is to permit mapping of foreign + SIDs (those not originating from the the local Samba server). Foreign SIDs can come from any + domain member client or server, or from Windows clients that do not belong to a domain. Another + way to explain the necessity to run winbindd is that Samba can locally + resolve only accounts that belong to the security context of its own machine SID. Winbind + handles all non-local SIDs and maps them to a local UID/GID value. The UID and GID are allocated + from the parameter values set in the &smb.conf; file for the idmap uid and + idmap gid ranges. Where LDAP is used, the mappings can be stored in LDAP + so that all domain member servers can use a consistent mapping. - - winbindd - - getpwnam - - NSS - - If your installation is accessed only from clients that are members of your own domain, then - it is not necessary to run winbindd as long as all users can be resolved - locally via the getpwnam() system call. On NSS-enabled systems, this condition - is met by having + + winbindd + getpwnam + NSS + If your installation is accessed only from clients that are members of your own domain, and all + user accounts are present in a local passdb backend then it is not necessary to run + winbindd. The local passdb backend can be in smbpasswd, tdbsam, or in ldapsam. + + + + It is possible to use a local passdb backend with any convenient means of resolving the POSIX + user and group account information. The POSIX information is usually obtained using the + getpwnam() system call. On NSS-enabled systems, the actual POSIX account + source can be provided from - - /etc/passwd - - /etc/group - - All accounts in /etc/passwd or in /etc/group. + + /etc/passwd + /etc/group + Accounts in /etc/passwd or in /etc/group. @@ -455,6 +415,12 @@ + + To advoid confusion the use of the term local passdb backend means that + the user account backend is not shared by any other Samba server &smbmdash; instead, it is + used only locally on the Samba domain member server under discussion. + + Identity resolution The diagram in demonstrates the relationship of Samba and system @@ -467,11 +433,9 @@ chap9-SambaDC - - IDMAP - - foreign - + + IDMAP + foreign In this example configuration, Samba will directly search the LDAP-based passwd backend ldapsam to obtain authentication and user identity information. The IDMAP information is stored in the LDAP backend so that it can be shared by all domain member servers so that every user will have a @@ -487,16 +451,15 @@ - Configuration of LDAP-Based Identity Resolution + Configuration of NSS_LDAP-Based Identity Resolution Create the &smb.conf; file as shown in . Locate this file in the directory /etc/samba. - - ldap.conf - + + ldap.conf Configure the file that will be used by nss_ldap to locate and communicate with the LDAP server. This file is called ldap.conf. If your implementation of nss_ldap is consistent with @@ -517,11 +480,9 @@ in . - - Identity resolution - - getent - + + Identity resolution + getent Before proceeding to configure Samba, validate the operation of the NSS identity resolution via LDAP by executing: @@ -556,13 +517,9 @@ Finances:x:1001: PIOps:x:1002: sammy:x:4321: - - secondary group - - primary group - - group membership - + secondary group + primary group + group membership This shows that all is working as it should be. Notice that in the LDAP database the users' primary and secondary group memberships are identical. It is not necessary to add secondary group memberships (in the group database) if the @@ -571,9 +528,8 @@ sammy:x:4321: doubling up of group memberships and may break winbind under certain conditions. - - slapcat - + + slapcat The LDAP directory must have a container object for IDMAP data. There are several ways you can check that your LDAP database is able to receive IDMAP information. One of the simplest is to execute: @@ -582,11 +538,10 @@ sammy:x:4321: dn: ou=Idmap,dc=abmas,dc=biz ou: idmap - - ldapadd - - If the execution of this command does not return IDMAP entries, you need to create an LDIF - template file (see ). You can add the required entries using the following command: + ldapadd + If the execution of this command does not return IDMAP entries, you need to create an LDIF + template file (see ). You can add the required entries using + the following command: &rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ -w not24get < /etc/openldap/idmap.LDIF @@ -594,13 +549,9 @@ ou: idmap Samba automatically populates this LDAP directory container when it needs to. - - net - rpc - join - - Domain join - + + netrpcjoin + Domain join The system is ready to join the domain. Execute the following: &rootprompt; net rpc join -U root%not24get @@ -817,16 +768,14 @@ aliases: files domain and/or does not use LDAP. - - duplicate accounts - + + duplicate accounts If you use winbind for identity resolution, make sure that there are no duplicate accounts. - - /etc/passwd - + + /etc/passwd For example, do not have more than one account that has UID=0 in the password database. If there is an account called root in the /etc/passwd database, it is okay to have an account called root in the LDAP ldapsam or in the @@ -835,29 +784,20 @@ aliases: files root. - - /etc/passwd - - ldapsam - - tdbsam - + + /etc/passwd + ldapsam + tdbsam Winbind will break if there is an account in /etc/passwd that has the same UID as an account that is in LDAP ldapsam (or in tdbsam) but that differs in name only. - - credentials - - traverse - - wide-area - - network - wide-area - - tdbdump - + + credentials + traverse + wide-area + networkwide-area + tdbdump The following configuration uses CIFS/SMB protocols alone to obtain user and group credentials. The winbind information is locally cached in the winbindd_cache.tdb winbindd_idmap.tdb files. This provides considerable performance benefits compared with the LDAP solution, particularly @@ -874,18 +814,14 @@ aliases: files shown in . - - /etc/nsswitch.conf - + + /etc/nsswitch.conf Edit the /etc/nsswitch.conf so it has the entries shown in . - - net - rpc - join - + + netrpcjoin The system is ready to join the domain. Execute the following: net rpc join -U root%not2g4et @@ -895,11 +831,8 @@ Joined domain MEGANET2. - - winbind - - wbinfo - + + winbindwbinfo Validate operation of winbind using the wbinfo tool as follows: @@ -977,6 +910,7 @@ MEGANET2+PIOps:x:10005: The Samba member server of a Windows NT4 domain is ready for use. + @@ -1059,7 +993,7 @@ MEGANET2+PIOps:x:10005: net rpc join -U root%not24get Joined domain MEGANET2. - This indicates that the domain join succeed. + This indicates that the domain join succeed. @@ -1174,9 +1108,8 @@ Joined domain MEGANET2. Joining a Samba Server as an ADS Domain Member - - smbd - + + smbd Before you try to use Samba-3, you want to know for certain that your executables have support for Kerberos and for LDAP. Execute the following to identify whether or not this build is perhaps suitable for use: @@ -1492,11 +1425,8 @@ Server time offset: 2 In any case, the output we obtained confirms that all systems are operational. - - net - ads - status - + + netadsstatus There is one more action you elect to take, just because you are paranoid and disbelieving, so you execute the following command: @@ -1577,6 +1507,7 @@ Permissions: called FRAN is able to communicate fully with the ADS domain controllers. + -- cgit