Bug #40708
Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groups
Description
Samba authentication using the 'ad' backend and gid user/group attributes worked in 9.10.2, but is broken in 11.1-U1 for users relying on the gidNumber
LDAP attribute. It appears Samba was upgraded from 4.5.5 to 4.7.0 between 9.10.2 and 11.1-U1. The Samba wiki identifies a difference in the way that it handles groups starting in 4.6.0 (see https://wiki.samba.org/index.php/Idmap_config_ad#The_RFC2307_and_template_Mode_Options).
With Samba's new unix_primary_group
default setting, the primaryGroupID
attribute is used to determine the gid for users, and not the gidNumber
. The primaryGroupID
is set to the last part of the AD group's ObjectSid
. The ObjectSid
is read-only and cannot be modified which results in AD users not being recognized by Samba when their primary group's ObectSid
falls outside the idmap config range
.
Using the Web UI-generated /usr/local/etc/smb4.conf, my AD groups are presented via getent group
because the gidNumber
I assigned them falls within the idmap config range
. My AD users are not presented via getent passwd
since their primary group's ObjectSid
falls outside the idmap config range
. After adding idmap config MYDOMAIN: unix_primary_group = yes
line to /usr/local/etc/smb4.conf and running /usr/local/etc/rc.d/samba_server restart
, I can now see the AD users and assign permissions to them within FreeNAS.
It seems that this is largely a Samba issue, since with default settings Samba would seemingly break their own multi-domain integration with non-overlapping ranges due to arbitrarily assigned ObjectSid
values. However, it would be extremely helpful if FreeNAS could guard against this issue by inserting MYDOMAIN: unix_primary_group = no
into smb4.conf and providing a deterministic way to import users and groups from AD into FreeNAS.
Is it possible to get MYDOMAIN: unix_primary_group = no
added to smb4.conf to accommodate the 'ad' backend? I'm willing to test other workarounds. Thanks!
PS: Please let me know if any of my assertions are incorrect. For my setup, I have multiple users and groups all configured with uidNumber, gidNumber, loginShell, and unixHomeDirectory attributes defined, added to the Global Catalog, etc. I'm using a "stock" Windows Server 2016 domain controller. Users and groups are defined, but no Group Policy, OUs, or anything fancy(TM).
Related issues
Associated revisions
History
#1
Updated by John Hixson over 2 years ago
- Copied from Bug #28209: Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groups added
#2
Updated by John Hixson over 2 years ago
11.1-stable PR: https://github.com/freenas/freenas/pull/1641
#3
Updated by Dru Lavigne over 2 years ago
- Status changed from Unscreened to In Progress
- Needs QA changed from No to Yes
- Needs Merging changed from No to Yes
#4
Updated by Dru Lavigne over 2 years ago
- Status changed from In Progress to Ready for Testing
- Needs Merging changed from Yes to No
#5
Updated by Dru Lavigne over 2 years ago
- Status changed from Ready for Testing to Done
- Needs QA changed from Yes to No