Project

General

Profile

Bug #28209

Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groups

Added by Charles West about 1 year ago. Updated 9 months ago.

Status:
Done
Priority:
Important
Assignee:
John Hixson
Category:
OS
Target version:
Seen in:
Severity:
Medium
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Samba authentication using the 'ad' backend and gid user/group attributes worked in 9.10.2, but is broken in 11.1-U1 for users relying on the gidNumber LDAP attribute. It appears Samba was upgraded from 4.5.5 to 4.7.0 between 9.10.2 and 11.1-U1. The Samba wiki identifies a difference in the way that it handles groups starting in 4.6.0 (see https://wiki.samba.org/index.php/Idmap_config_ad#The_RFC2307_and_template_Mode_Options).

With Samba's new unix_primary_group default setting, the primaryGroupID attribute is used to determine the gid for users, and not the gidNumber. The primaryGroupID is set to the last part of the AD group's ObjectSid. The ObjectSid is read-only and cannot be modified which results in AD users not being recognized by Samba when their primary group's ObectSid falls outside the idmap config range.

Using the Web UI-generated /usr/local/etc/smb4.conf, my AD groups are presented via getent group because the gidNumber I assigned them falls within the idmap config range. My AD users are not presented via getent passwd since their primary group's ObjectSid falls outside the idmap config range. After adding idmap config MYDOMAIN: unix_primary_group = yes line to /usr/local/etc/smb4.conf and running /usr/local/etc/rc.d/samba_server restart, I can now see the AD users and assign permissions to them within FreeNAS.

It seems that this is largely a Samba issue, since with default settings Samba would seemingly break their own multi-domain integration with non-overlapping ranges due to arbitrarily assigned ObjectSid values. However, it would be extremely helpful if FreeNAS could guard against this issue by inserting MYDOMAIN: unix_primary_group = no into smb4.conf and providing a deterministic way to import users and groups from AD into FreeNAS.

Is it possible to get MYDOMAIN: unix_primary_group = no added to smb4.conf to accommodate the 'ad' backend? I'm willing to test other workarounds. Thanks!

PS: Please let me know if any of my assertions are incorrect. For my setup, I have multiple users and groups all configured with uidNumber, gidNumber, loginShell, and unixHomeDirectory attributes defined, added to the Global Catalog, etc. I'm using a "stock" Windows Server 2016 domain controller. Users and groups are defined, but no Group Policy, OUs, or anything fancy(TM).


Related issues

Copied to FreeNAS - Bug #40708: Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groupsDone

Associated revisions

Revision 1c151e30 (diff)
Added by John Hixson 10 months ago

Add unix_primary_group and unix_nss_info to idmap_ad configuration

Ticket: #28209

Revision 1dfc20db (diff)
Added by John Hixson 9 months ago

Add unix_primary_group and unix_nss_info to idmap_ad configuration

Ticket: #28209
(cherry picked from commit 1c151e301cf88552be5b833cb3767e52942c9d88)

(11.1-stable)
Ticket: #40708

History

#1 Updated by Dru Lavigne about 1 year ago

  • Category changed from Middleware to OS
  • Assignee changed from Release Council to John Hixson
  • Target version set to 11.2-RC2

#2 Updated by John Hixson about 1 year ago

  • Assignee changed from John Hixson to Timur Bakeyev

#3 Updated by Timur Bakeyev 12 months ago

  • Severity set to Medium

#4 Updated by John Hixson 10 months ago

  • Assignee changed from Timur Bakeyev to John Hixson

#5 Updated by John Hixson 10 months ago

This is a simple fix. Coming soon.

#7 Updated by John Hixson 10 months ago

  • Status changed from Not Started to Ready for Testing

#8 Updated by Dru Lavigne 10 months ago

  • Subject changed from Samba 'ad' idmap group handling prevents user import to Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groups
  • Status changed from Ready for Testing to In Progress

#9 Updated by Dru Lavigne 10 months ago

  • Target version changed from 11.2-RC2 to 11.2-BETA2

#10 Updated by John Hixson 10 months ago

  • Status changed from In Progress to Ready for Testing

#11 Updated by Dru Lavigne 10 months ago

  • Status changed from Ready for Testing to In Progress

#12 Updated by John Hixson 9 months ago

  • Status changed from In Progress to Ready for Testing

#13 Updated by Dru Lavigne 9 months ago

  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#15 Updated by John Hixson 9 months ago

Charles, This code is currently in 11.2BETA (or the nightlies). Can you verify this is working for you?

#16 Updated by Bonnie Follweiler 9 months ago

  • Status changed from Ready for Testing to Passed Testing
  • Needs QA changed from Yes to No

#18 Updated by Dru Lavigne 9 months ago

  • Status changed from Passed Testing to Done

#19 Updated by John Hixson 9 months ago

  • Copied to Bug #40708: Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groups added

Also available in: Atom PDF