Bug #40708
Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groups
Description
Samba authentication using the 'ad' backend and gid user/group attributes worked in 9.10.2, but is broken in 11.1-U1 for users relying on the gidNumber LDAP attribute. It appears Samba was upgraded from 4.5.5 to 4.7.0 between 9.10.2 and 11.1-U1. The Samba wiki identifies a difference in the way that it handles groups starting in 4.6.0 (see https://wiki.samba.org/index.php/Idmap_config_ad#The_RFC2307_and_template_Mode_Options).
With Samba's new unix_primary_group default setting, the primaryGroupID attribute is used to determine the gid for users, and not the gidNumber. The primaryGroupID is set to the last part of the AD group's ObjectSid. The ObjectSid is read-only and cannot be modified which results in AD users not being recognized by Samba when their primary group's ObectSid falls outside the idmap config range.
Using the Web UI-generated /usr/local/etc/smb4.conf, my AD groups are presented via getent group because the gidNumber I assigned them falls within the idmap config range. My AD users are not presented via getent passwd since their primary group's ObjectSid falls outside the idmap config range. After adding idmap config MYDOMAIN: unix_primary_group = yes line to /usr/local/etc/smb4.conf and running /usr/local/etc/rc.d/samba_server restart, I can now see the AD users and assign permissions to them within FreeNAS.
It seems that this is largely a Samba issue, since with default settings Samba would seemingly break their own multi-domain integration with non-overlapping ranges due to arbitrarily assigned ObjectSid values. However, it would be extremely helpful if FreeNAS could guard against this issue by inserting MYDOMAIN: unix_primary_group = no into smb4.conf and providing a deterministic way to import users and groups from AD into FreeNAS.
Is it possible to get MYDOMAIN: unix_primary_group = no added to smb4.conf to accommodate the 'ad' backend? I'm willing to test other workarounds. Thanks!
PS: Please let me know if any of my assertions are incorrect. For my setup, I have multiple users and groups all configured with uidNumber, gidNumber, loginShell, and unixHomeDirectory attributes defined, added to the Global Catalog, etc. I'm using a "stock" Windows Server 2016 domain controller. Users and groups are defined, but no Group Policy, OUs, or anything fancy(TM).
Related issues
Associated revisions
History
#1
Updated by John Hixson over 2 years ago
Updated by John Hixson - Copied from Bug #28209: Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groups added
#2
Updated by John Hixson over 2 years ago
11.1-stable PR: https://github.com/freenas/freenas/pull/1641
#3
Updated by Dru Lavigne over 2 years ago
Updated by Dru Lavigne - Status changed from Unscreened to In Progress
- Needs QA changed from No to Yes
- Needs Merging changed from No to Yes
#4
Updated by Dru Lavigne over 2 years ago
- Status changed from In Progress to Ready for Testing
- Needs Merging changed from Yes to No
#5
Updated by Dru Lavigne over 2 years ago
- Status changed from Ready for Testing to Done
- Needs QA changed from Yes to No