Use Active Directory RFC2307

[blanchet]

Hi,

I run TrueNAS-13.0u4. The server has joined the Active Directory Domain (Windows Server 2022)
It works well when I use the RID idmap backend (the default setting) and I can connect with a Windows computers to the SMB shares.

Working configuration with RID idmap backend

Code:

root@truenas-test-smh[~]# testparm         
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
    aio max threads = 2
    allow trusted domains = No
    bind interfaces only = Yes
    client ldap sasl wrapping = seal
    disable spoolss = Yes
    dns proxy = No
    domain master = No
    enable web service discovery = Yes
    kerberos method = secrets and keytab
    kernel change notify = No
    load printers = No
    local master = No
    logging = file
    max log size = 5120
    netbios name = TRUENAS-TEST
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    preferred master = No
    realm = IRAM.WINNT
    registry shares = Yes
    restrict anonymous = 2
    security = ADS
    server multi channel support = No
    server role = member server
    server string = TrueNAS Server
    template shell = /bin/sh
    unix extensions = No
    winbind cache time = 7200
    winbind enum groups = Yes
    winbind enum users = Yes
    winbind max domain connections = 10
    winbind nss info = rfc2307
    workgroup = IRAM
    idmap config *: range = 90000001-100000000
    idmap config iram: range = 100000001-200000000
    idmap config iram: backend = rid
    rpc_server:mdssvc = disabled
    rpc_daemon:mdssd = disabled
    idmap config * : backend = tdb
    directory name cache size = 0
    dos filemode = Yes

I can see all the users with their generated UID/GID with the command getent passwd

Nevertheless, I would prefer that TrueNAS server use the specific UID and GID that are defined in RFC2307 when storing the files
so that I can also share the data with the NFS protocol.

So I have followed this guide to edit the RFC2307 attributes in Active Directory

Configuring ID mappings in Active Directory Users and Computers for Windows Server 2016 (and subsequent) versions

You can configure ID mappings in Active Directory Users and Computers (ADUC) for Windows Server 2016 (and subsequent) versions. You can also compare how IDMU attributes map to RFC 2307 attributes.

www.ibm.com

• uidNumber
• gidNumber

And then I have tried to switch the idmap backend from RID to AD, but it does not work.
This is my smb4.conf file after switching the idmap backend to AD

Not working configuration with AD RFC2307 idmap backend

Code:

root@truenas-test-smh[~]# testparm      
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
    aio max threads = 2
    allow trusted domains = No
    bind interfaces only = Yes
    client ldap sasl wrapping = seal
    disable spoolss = Yes
    dns proxy = No
    domain master = No
    enable web service discovery = Yes
    kerberos method = secrets and keytab
    kernel change notify = No
    load printers = No
    local master = No
    logging = file
    max log size = 5120
    netbios name = TRUENAS-TEST
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    preferred master = No
    realm = IRAM.WINNT
    registry shares = Yes
    restrict anonymous = 2
    security = ADS
    server multi channel support = No
    server role = member server
    server string = TrueNAS Server
    template shell = /bin/sh
    unix extensions = No
    winbind cache time = 7200
    winbind enum groups = Yes
    winbind enum users = Yes
    winbind max domain connections = 10
    winbind nss info = rfc2307
    workgroup = IRAM
    idmap config *: range = 90000001-100000000
    idmap config iram: schema_mode = rfc2307
    idmap config iram: range = 100000001-200000000
    idmap config iram: backend = ad
    rpc_server:mdssvc = disabled
    rpc_daemon:mdssd = disabled
    idmap config * : backend = tdb
    directory name cache size = 0
    dos filemode = Yes

If I run getent passwd, there is no users from Active Directory in the output.

I am blocked, therefore I would really appreciate if someone could give me a hint.

 

[blanchet]

Indeed, the documentation of TrueNAS Scale gives really more details about Idmap and RFC2307 than the TrueNAS Core documentation.

Idmap Screens

Provides information on the **Idmap** screen and widget settings.

www.truenas.com

Nevertheless, I have not figured out how to proceed yet.

But I will not discourage me because I have seen on other threads that other users succeed to setup RFC2307 https://www.truenas.com/community/threads/broken-uid-gid-allocation-in-idmap-tdb.106641/

 

[hydrian]

Did you get anywhere with this? I'm having the same issue.

 

[blanchet]

Unfortunately I have not succeed yet to setup AD + RFC 2307 on TrueNAS.

For the moment, as a workaround, I create manually the user/group in the webui, and then I use a Samba username mapping file .
It is boring but it easy to setup and it works.

Some other resources:

Setting up RFC2307 in AD - SambaWiki

wiki.samba.org

Microsoft Active Directory with RFC 2307 | PowerScale OneFS Authentication, Identity Management, and Authorization | Dell Technologies Info Hub

This white paper details user and file access management in Dell EMC PowerScale OneFS through the explanation of the Authentication, Identity Management, and Authorization (AIMA) stack.

infohub.delltechnologies.com

Clarification regarding the status of Identity Management for Unix (IDMU) & NIS Server Role in Windows Server 2016 Technical Preview and beyond

learn.microsoft.com

 

[Tronmech]

I used the "sssd compatible" option in the idmap configuration screen, and I get the UIDs I want -- the same uid's as the Linux host sssd-attached to the same domain -- but currently can't get those to show up in an NFSv4 share. Everything becomes NOBODY. If I turn on NFSv3-style access, I get the names for the groups, but can't chgrp the files in the share. That's probably because my linux host IS set up to use NFSv4 ID mapping, and thus sends "groupname@nfsdomain" for the new group... Which -- of course -- the NAS would be allergic to if it's not doing name mapping.

 

[hydrian]

I used the "sssd compatible" option in the idmap configuration screen, and I get the UIDs I want -- the same uid's as the Linux host sssd-attached to the same domain -- but currently can't get those to show up in an NFSv4 share. Everything becomes NOBODY. If I turn on NFSv3-style access, I get the names for the groups, but can't chgrp the files in the share. That's probably because my linux host IS set up to use NFSv4 ID mapping, and thus sends "groupname@nfsdomain" for the new group... Which -- of course -- the NAS would be allergic to if it's not doing name mapping.

I don't see this option on TrueNAS core. Are you running Core or Scale? If Core, what version?

 

[blanchet]

I used the "sssd compatible" option in the idmap configuration screen, and I get the UIDs I want -- the same uid's as the Linux host sssd-attached to the same domain -- but currently can't get those to show up in an NFSv4 share. Everything becomes NOBODY. If I turn on NFSv3-style access, I get the names for the groups, but can't chgrp the files in the share. That's probably because my linux host IS set up to use NFSv4 ID mapping, and thus sends "groupname@nfsdomain" for the new group... Which -- of course -- the NAS would be allergic to if it's not doing name mapping.

It seems very interesting but I did not succeed to reproduce your settings.
If I enable SSD-Compat, it changes the UID/GID but it does not get the RFC2307 attributes

These are my settings, could you please share your settings ?

 

[hydrian]

I know my uidNumber/gidNumber attributes are setup fine. I'm able to get them with sssd on a linux box. I'm just having issues with TrueNAS 13.1.

 

[hydrian]

Oh.. The idmap has to be RID not rfc2307! A bit couter-intuitive but whatever gets it working. Hope this works

 

[hydrian]

A bit of update and I hope it helps others.

1. Turn on verbose logging
2. Restart smbd and winbindd services
3. If you see anything about NT_STATUS_INTERNAL_DB_CORRUPTION, do the following.
4. Stop smbd & winbindd services
5. Backup the /var/db/system/samba4 directory
6. execute
   Code:

   rm /var/db/system/samba4/*.tdb

   as root (this will remove the current mapping if you are using RID and regenerated it)
7. Start smb & winbindd server
8. Test with
   Code:

   getent passwd SOME_USER_NAME

9. It should return a user's passwd entry.

This issue occurred when I upgraded quickly from 11.3-U5->12.0-U8.1->13.0-U4. I suspect the tdb format/version changed a bit and the tdb format was considered corruption. All the smbd & winbindd started fine but winbindd wouldn't expose the user to NSS. I resolved it with the instructions above.

It also didn't help that I forgot to test with

Code:

getent passwd SOME_USERNAME

and use just

Code:

getent passwd

.

Code:

getent passwd

will now users unless

Code:

winbind enum users = 1

in smb4.conf is enabled. TrueNAS doesn't expose this normally.

 

[Tronmech]

I just set the "sssd compat" setting in that idmap edit. No special attributes needed, if you don't mind the defaults. (Or if you already have Linux hosts using sssd->AD.)

In my case the user names coming over in NFSv4 look weird: DOMAIN\User@AD.DNS.NAME. Which is incredibly frustrating because I actually need the names in User@AD.DNS.NAME format, and I'm completely clueless about how to accomplish that. And my thread about that? Crickets...

 

[hydrian]

A bit of update and I hope it helps others.

1. Turn on verbose logging
2. Restart smbd and winbindd services
3. If you see anything about NT_STATUS_INTERNAL_DB_CORRUPTION, do the following.
4. Stop smbd & winbindd services
5. Backup the /var/db/system/samba4 directory
6. execute
   Code:

   rm /var/db/system/samba4/*.tdb

   as root (this will remove the current mapping if you are using RID and regenerated it)
7. Start smb & winbindd server
8. Test with
   Code:

   getent passwd SOME_USER_NAME

9. It should return a user's passwd entry.

This issue occurred when I upgraded quickly from 11.3-U5->12.0-U8.1->13.0-U4. I suspect the tdb format/version changed a bit and the tdb format was considered corruption. All the smbd & winbindd started fine but winbindd wouldn't expose the user to NSS. I resolved it with the instructions above.

It also didn't help that I forgot to test with

Code:

getent passwd SOME_USERNAME

and use just

Code:

getent passwd

.

Code:

getent passwd

will now users unless

Code:

winbind enum users = 1

in smb4.conf is enabled. TrueNAS doesn't expose this normally.

Not sure if this was clear or not, this resolved my issues.