Bug 1484072
Summary: | 'realm join' adds deprecated parameter to the Samba config file | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Andreas Schneider <asn> |
Component: | realmd | Assignee: | Sumit Bose <sbose> |
Status: | CLOSED ERRATA | QA Contact: | Petr Čech <pcech> |
Severity: | unspecified | Docs Contact: | |
Priority: | high | ||
Version: | 7.5 | CC: | asn, erinn.looneytriggs, extras-qa, giuseppe.ragusa, jhrozek, mmuehlfe, pkis, sbose, stefw |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | realmd-0.16.1-10.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1482926 | Environment: | |
Last Closed: | 2018-10-30 11:02:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1482926 | ||
Bug Blocks: | 1550132 |
Description
Andreas Schneider
2017-08-22 15:36:50 UTC
Moving the priority up. We have to many customer cases which wrong ID mapping configuration. We need to make sure our tools behave correctly. The Samba documentation will get a rewrite for RHEL 7.5. So we need to make sure we get a correct configuration if we describe 'realm join' in the documentation. Additional discussion from https://bugzilla.redhat.com/show_bug.cgi?id=1487145: """ Many thanks for your quick follow-up. Thanks for notifying me of the already existing bug on the configuration format (I've added myself to the CC list on that bug). I understand that without RFC2307bis attributes in AD the chosen backend becomes "tdb" which is writable; if the resolution of bug #1484072 will make realmd create a default ("*", catch all) idmap section or a dedicated one ("DOMAIN") plus a default one ("*", catch anything else) but always using a writable backend, either way I agree that this issue will not exist. But I respectfully dissent on the fact that, in presence of RFC2307bis attributes in AD, it is ok to have only that readonly idmap backend, because: *) first of all it is detected as an invalid smb.conf by testparm and winbind does not start at all *) anyway, the main reason for using winbind instead of sssd is better support for trusted AD domains/forests (which users could come from), and those domains could have no RFC2307bis attributes, so a default ("*", catch all) idmap section really should be writable (and, thinking of other domains/forests, really "autorid", not "tdb" nor "rid", is the only reasonable choice for the default idmap section, imho) Lastly, I will follow-up with a ticket on authconfig (since Samba docs explicitly discourages adding winbind to the shadow line, even warning of possible "harm"). To sum it up: if you agree with my reasoning above and if you think that the remaining issue will be taken care of during resolution of bug #1484072 then feel free to close this one as a duplicate. Many thanks again. Bye, Giuseppe """ """ Further (authoritative and up-to-date) info on Winbind configuration: https://wiki.samba.org/index.php/Idmap_config_ad It is explicitly stated that an "ad" backend *must* be supplemented with a default writable backend: the BUILTIN local users/groups are always present and must be taken care of (besides any considerations on further trusted domains that I added above). """ *** Bug 1487145 has been marked as a duplicate of this bug. *** Yes, looks fine for me. I'd further add, though this may need to be a separate bug report (let me know) that when using the automatic-id-mapping=no option (implying rfc2307 support) the smb.conf that is generated is also very broken (especially with newer winbind versions in RHEL 7.5 and 7.6): [global] kerberos method = system keytab template homedir = /home/%U workgroup = AD template shell = /bin/bash security = ads netbios name = TESTKITCHEN-CUB realm = AD.COLORADO.EDU idmap schema = rfc2307 idmap backend = ad idmap gid = 500-4294967296 idmap uid = 500-4294967296 winbind use default domain = yes winbind refresh tickets = yes winbind offline logon = yes winbind enum groups = no winbind enum users = no That gid and uid floor looks, well very bad to begin with, isn't anything < 1000 supposed to be for system use? And of course those options are deprecated in favor of 'idmap config * : range' Command run to get that config: realm join --client-software=winbind --computer-ou='OU=Computers,DC=ad,DC=colorado,DC=edu' --automatic-id-mapping=no ad.colorado.edu The 'idmap config ...' option will be available with the next RHEL release. About the lower value of the ID ranges, you are right that it is recommended in RHEL7 to not use UIDs and GIDs below 1000. However e.g. in RHEL6 to recommendation was not below 500. It looks like 500 is the value most if not all Linux distributions and other UNIX systems use strictly for system purposes. And since with the rfc2307 schema AD can be the source for user an group data for many different systems the configuration created by realmd automatically should be as open as possible to avoid surprises in the sense that some users and groups are available on one system but not visible on others. In the end it is up to the AD administrator to make sure that there are no ID collisions with local users. So, I would prefer not to change the lower value. But as an alternative you might want to open a new ticket to make this part of the generated smb.conf configurable via /etc/realmd.conf. Done in 1625289, thanks. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3190 |