Saturday, February 16, 2008

Authenticating Linux to AD using idmap_rid with base_rid

I only paste my smb.conf here which I think may be useful for others. This smb.conf works fine on RHEL4-U6 and RHEL5 which uses idmap_rid module for mapping AD users/groups sids to linux uids/gids. idmap_rid plugin generates uid/gid mapping for AD users by adding a configurable minmum value to the rid of an AD user after substracting the base_rid specified from user rid. Eg,

Suppose if I define idmap config range as "1500 - 10000" in my smb.conf and base_rid as 500 and the rid of the AD user is 1546, then the uid of that user would be 1546 - 500 + 1500 which is 2546.

Sid for user "u1" would look like as below.

# wbinfo -n u1
S-1-5-21-2913803998-3319354983-1616611311-1106 User (1)

Here the rid of the u1 is 1106 and his uid = 1106 - 500 + 1500 which is 2106

In this configuration we assume that our AD domain is test.example.com

[global]
workgroup = WORKGROUP
netbios name = netbiosname
realm = REALM
server string = RHEL4 Test Server
security = ads
password server =
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
idmap domains = EXAMPLE
idmap config EXAMPLE: default = yes
idmap config EXAMPLE: backend = rid
idmap config EXAMPLE: base_rid = 500
idmap config EXAMPLE: range = 1500-10000
winbind separator = +
winbind use default domain = yes
cups options = raw
winbind nss info = rfc2307 sfu template

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

Configure /etc/krb5.conf appropriately, if using kerberos for authentication.

Join the system to Active Directory Domain.

# net ads join -U administrator

Run authconfig and chose winbind for name service and kerberos for authentication. Don't join the system to domain in this attempt since we have already joined it.

Restart winbind. Now every ad user should be able to log in to linux system.

Wednesday, February 13, 2008

Another configuration with idmap_rid without specifying base_rid

I only paste my smb.conf here which I think may be useful for others. This smb.conf works fine on RHEL4-U6 and RHEL5 which uses idmap_rid module for mapping AD users/groups sids to linux uids/gids. idmap_rid plugin generates uid/gid for AD users by adding a configurable base value to the rid of an AD user. Eg,

Suppose if I define idmap config range as "1500 - 10000" in my smb.conf and the rid of the AD user is 1546, then the uid of that user would be 1500 + 1546 which is 3046.

Sid for user "u1" would look like as below.

# wbinfo -n u1
S-1-5-21-2913803998-3319354983-1616611311-1106 User (1)

Here the rid of the u1 is 1106 and his uid = 1500 + 1106 which is 2606

In this configuration we assume that our AD domain is test.example.com

[global]
workgroup = WORKGROUP
netbios name = netbiosname
realm = REALM
server string = RHEL4 Test Server
security = ads
password server =
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
idmap domains = EXAMPLE
idmap config EXAMPLE: default = yes
idmap config EXAMPLE: backend = rid
idmap config EXAMPLE: range = 1500-10000
winbind separator = +
winbind use default domain = yes
cups options = raw
winbind nss info = rfc2307 sfu template

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

Configure /etc/krb5.conf appropriately, if using kerberos for authentication.

Join the system to Active Directory Domain.

# net ads join -U administrator

Run authconfig and chose winbind for name service and kerberos for authentication. Don't join the system to domain in this attempt since we have already joined it.

Restart winbind. Now every ad user should be able to log in to linux system.

Sunday, February 3, 2008

Samba - How to authenticate linux system via winbind using idmap_rid

I only paste my smb.conf here which I think may be useful for others. This smb.conf works fine on RHEL4-U6 and RHEL5 which uses idmap_rid module for mapping AD users/groups sids to linux uids/gids. idmap_rid plugin generates uid/gid for AD users by adding a configurable base value to the rid of an AD user. Eg,

Suppose if I define "idmap uid = 1500 - 10000" in my smb.conf and the rid of the AD user is 1546, then the uid of that user would be 1500 + 1546 which is 3046. If there are multiple domains which are trusted, then the smb.conf wouldn't work. I would create a separate post for that.

Sid for user "u1" would look like as below.

# wbinfo -n u1
S-1-5-21-2913803998-3319354983-1616611311-1106 User (1)

Here the rid of the u1 is 1106.

In this configuration we assume that our AD domain is test.example.com

[global]
workgroup = WORKGROUP
netbios name = netbiosname
realm = REALM
server string = RHEL4 Test Server
security = ads
password server =
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
idmap backend = idmap_rid:EXAMPLE=1500-100000
idmap uid = 1500-100000
idmap gid = 1500-100000
allow trusted domains = no
winbind separator = +
winbind use default domain = yes
cups options = raw
winbind nss info = rfc2307 sfu template

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

Configure /etc/krb5.conf appropriately, if using kerberos for authentication.

Join the system to Active Directory Domain.

# net ads join -U administrator

Run authconfig and chose winbind for name service and kerberos for authentication. Don't join the system to domain in this attempt since we have already joined it.

Restart winbind. Now every ad user should be able to log in to linux system.