Tuesday, June 17, 2014

Using cifs.idmap

We first setup winbind:


Make sure you have the following packages installed:
samba-winbind: Provides the winbindd daemon required.
samba-winbind-clients: Provides the libnss and pam modules required by winbind

Add winbind configuration in /etc/samba/smb.conf:
[global]
        security = ads
        realm = ENG1.LAB.EXAMPLE.COM
        workgroup = ENG1

        winbind separator = +
        winbind cache time = 120
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes

        idmap backend = rid
        idmap uid = 10000-20000
        idmap gid = 10000-20000

        template homedir = /home/%D/%U
        template shell = /bin/bash
        password server = vm140-52.eng1.lab.example.com

Configure /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = ENG1.LAB.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
allow_weak_crypto = 1

[realms]
ENG1.LAB.EXAMPLE.COM = {
  kdc = vm140-52.eng1.lab.example.com:88
}

[domain_realm]
.eng1.lab.example.com = ENG1.LAB.EXAMPLE.COM
eng1.lab.example.com = ENG1.LAB.EXAMPLE.COM

Edit /etc/nssswitch.conf and add winbind:
Make sure that the the password and group lookups use winbind
..
passwd:    files winbind
shadow:    files
group:      files winbind
..
You now need to join the ADS:
# net ads join -D 5 -U Administrator@ENG1.LAB.EXAMPLE.COM -S vm140-52
Enable winbindd:
# systemctl enable winbindd
# systemctl start winbindd
To test: (wintest1 is a user on the ADS)
# id wintest1

At this point, winbind is setup for your machine.

To debug winbind, stop the winbind service and run winbind in the following manner on the command line.
#winbindd -F -d 3 -S  |tee winbind.out
This prints debug output onto the terminal as well as the file winbind.out in the cwd.

Mounting the cifs share:


First ensure that the request-key mechanism is setup to use cifs.idmap.
Ensure that the following line exists in either /etc/request-key.conf or /etc/request-key.d/cifs.idmap.conf(default location for Fedora and RHEL)
create  cifs.idmap    * * /usr/sbin/cifs.idmap %k

Now mount the cifs share using the mount option cifsacl:
# mount -t cifs -o username=wintest1,password=pass1,cifsacl //192.168.140.53/exports /mnt;
You should now be able to see the usernames from the ADS
# ls -l /mnt
total 4
drwxr-xr-x 1 root     domain users 4096 May 15 16:37 scratch
drwxr-xr-x 1 wintest1 domain users    0 May 13 12:20 wintest1
drwxr-xr-x 1 wintest2 domain users    0 Mar 19 13:37 wintest2

Note that the cifsacl results in an additional NT Transact call - QUERY_SECURITY_DESC to retrive the security descriptor for each file which has been stat-ed. This results in a performance penalty.

More information is available in the cifs.idmap man-page.