Project

General

Profile

Bug #40708

Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groups

Added by John Hixson 12 months ago. Updated 12 months ago.

Status:
Done
Priority:
Important
Assignee:
John Hixson
Category:
OS
Target version:
Seen in:
Severity:
Medium
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Samba authentication using the 'ad' backend and gid user/group attributes worked in 9.10.2, but is broken in 11.1-U1 for users relying on the gidNumber LDAP attribute. It appears Samba was upgraded from 4.5.5 to 4.7.0 between 9.10.2 and 11.1-U1. The Samba wiki identifies a difference in the way that it handles groups starting in 4.6.0 (see https://wiki.samba.org/index.php/Idmap_config_ad#The_RFC2307_and_template_Mode_Options).

With Samba's new unix_primary_group default setting, the primaryGroupID attribute is used to determine the gid for users, and not the gidNumber. The primaryGroupID is set to the last part of the AD group's ObjectSid. The ObjectSid is read-only and cannot be modified which results in AD users not being recognized by Samba when their primary group's ObectSid falls outside the idmap config range.

Using the Web UI-generated /usr/local/etc/smb4.conf, my AD groups are presented via getent group because the gidNumber I assigned them falls within the idmap config range. My AD users are not presented via getent passwd since their primary group's ObjectSid falls outside the idmap config range. After adding idmap config MYDOMAIN: unix_primary_group = yes line to /usr/local/etc/smb4.conf and running /usr/local/etc/rc.d/samba_server restart, I can now see the AD users and assign permissions to them within FreeNAS.

It seems that this is largely a Samba issue, since with default settings Samba would seemingly break their own multi-domain integration with non-overlapping ranges due to arbitrarily assigned ObjectSid values. However, it would be extremely helpful if FreeNAS could guard against this issue by inserting MYDOMAIN: unix_primary_group = no into smb4.conf and providing a deterministic way to import users and groups from AD into FreeNAS.

Is it possible to get MYDOMAIN: unix_primary_group = no added to smb4.conf to accommodate the 'ad' backend? I'm willing to test other workarounds. Thanks!

PS: Please let me know if any of my assertions are incorrect. For my setup, I have multiple users and groups all configured with uidNumber, gidNumber, loginShell, and unixHomeDirectory attributes defined, added to the Global Catalog, etc. I'm using a "stock" Windows Server 2016 domain controller. Users and groups are defined, but no Group Policy, OUs, or anything fancy(TM).


Related issues

Copied from FreeNAS - Bug #28209: Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groupsDone

Associated revisions

Revision 1dfc20db (diff)
Added by John Hixson 12 months ago

Add unix_primary_group and unix_nss_info to idmap_ad configuration

Ticket: #28209
(cherry picked from commit 1c151e301cf88552be5b833cb3767e52942c9d88)

(11.1-stable)
Ticket: #40708

Revision 9d146a09 (diff)
Added by John Hixson 12 months ago

flake8 happiness

(cherry picked from commit 98d3eb1f86ccfcd109b6ed9b25bc4e86e6971cb6)

(11.1-stable)
Ticket: #40708

History

#1 Updated by John Hixson 12 months ago

  • Copied from Bug #28209: Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groups added

#2 Updated by John Hixson 12 months ago

#3 Updated by Dru Lavigne 12 months ago

  • Status changed from Unscreened to In Progress
  • Needs QA changed from No to Yes
  • Needs Merging changed from No to Yes

#4 Updated by Dru Lavigne 12 months ago

  • Status changed from In Progress to Ready for Testing
  • Needs Merging changed from Yes to No

#5 Updated by Dru Lavigne 12 months ago

  • Status changed from Ready for Testing to Done
  • Needs QA changed from Yes to No

Also available in: Atom PDF