Bug 1484072

Summary: 'realm join' adds deprecated parameter to the Samba config file
Product: Red Hat Enterprise Linux 7 Reporter: Andreas Schneider <asn>
Component: realmdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: Petr Čech <pcech>
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.5CC: asn, erinn.looneytriggs, extras-qa, giuseppe.ragusa, jhrozek, mmuehlfe, pkis, sbose, stefw
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: realmd-0.16.1-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1482926 Environment:
Last Closed: 2018-10-30 11:02:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1482926    
Bug Blocks: 1550132    

Description Andreas Schneider 2017-08-22 15:36:50 UTC
+++ This bug was initially created as a clone of Bug #1482926 +++

Description of problem:

The command

  realm join --client-software=winbind

creates and outdated Samba configuration. It adds the following parameters to the  [global] section of the smb.conf file:

  idmap backend = tdb
  idmap gid = 10000-2000000
  idmap uid = 10000-2000000

Those have been deprecated and replaced. Also it should use the rid backend for the domain it joined. The config should look like this:

  idmap config * : range = 1000000-1999999

  idmap config DOMAIN : backend = rid
  idmap config DOMAIN : range = 100000000-199999999

where the DOMAIN is the domain name realm joined the machine too.



This needs to be fixed in RHEL7 too!

Comment 1 Andreas Schneider 2017-08-22 15:42:06 UTC
Moving the priority up. We have to many customer cases which wrong ID mapping configuration. We need to make sure our tools behave correctly.

The Samba documentation will get a rewrite for RHEL 7.5. So we need to make sure we get a correct configuration if we describe 'realm join' in the documentation.

Comment 2 Sumit Bose 2017-09-11 08:24:37 UTC
Additional discussion from https://bugzilla.redhat.com/show_bug.cgi?id=1487145:

"""
Many thanks for your quick follow-up.

Thanks for notifying me of the already existing bug on the configuration format (I've added myself to the CC list on that bug).

I understand that without RFC2307bis attributes in AD the chosen backend becomes "tdb" which is writable; if the resolution of bug #1484072 will make realmd create a default ("*", catch all) idmap section or a dedicated one ("DOMAIN") plus a default one ("*", catch anything else) but always using a writable backend, either way I agree that this issue will not exist.

But I respectfully dissent on the fact that, in presence of RFC2307bis attributes in AD, it is ok to have only that readonly idmap backend, because:

*) first of all it is detected as an invalid smb.conf by testparm and winbind does not start at all

*) anyway, the main reason for using winbind instead of sssd is better support for trusted AD domains/forests (which users could come from), and those domains could have no RFC2307bis attributes, so a default ("*", catch all) idmap section really should be writable (and, thinking of other domains/forests, really "autorid", not "tdb" nor "rid", is the only reasonable choice for the default idmap section, imho)

Lastly, I will follow-up with a ticket on authconfig (since Samba docs explicitly discourages adding winbind to the shadow line, even warning of possible "harm").

To sum it up: if you agree with my reasoning above and if you think that the remaining issue will be taken care of during resolution of bug #1484072 then feel free to close this one as a duplicate.

Many thanks again.

Bye,
Giuseppe
"""

"""
Further (authoritative and up-to-date) info on Winbind configuration:

https://wiki.samba.org/index.php/Idmap_config_ad

It is explicitly stated that an "ad" backend *must* be supplemented with a default writable backend: the BUILTIN local users/groups are always present and must be taken care of (besides any considerations on further trusted domains that I added above).
"""

Comment 3 Sumit Bose 2017-09-11 08:25:21 UTC
*** Bug 1487145 has been marked as a duplicate of this bug. ***

Comment 10 Andreas Schneider 2018-06-01 08:18:51 UTC
Yes, looks fine for me.

Comment 13 Erinn Looney-Triggs 2018-09-03 23:24:47 UTC
I'd further add, though this may need to be a separate bug report (let me know) that when using the automatic-id-mapping=no option (implying rfc2307 support) the smb.conf that is generated is also very broken (especially with newer winbind versions in RHEL 7.5 and 7.6):

[global]
kerberos method = system keytab
template homedir = /home/%U
workgroup = AD
template shell = /bin/bash
security = ads
netbios name = TESTKITCHEN-CUB
realm = AD.COLORADO.EDU
idmap schema = rfc2307
idmap backend = ad
idmap gid = 500-4294967296
idmap uid = 500-4294967296
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

That gid and uid floor looks, well very bad to begin with, isn't anything < 1000 supposed to be for system use? And of course those options are deprecated in favor of 'idmap config * : range'

Command run to get that config:
realm join --client-software=winbind --computer-ou='OU=Computers,DC=ad,DC=colorado,DC=edu' --automatic-id-mapping=no ad.colorado.edu

Comment 14 Sumit Bose 2018-09-04 08:20:25 UTC
The 'idmap config ...' option will be available with the next RHEL release.

About the lower value of the ID ranges, you are right that it is recommended in RHEL7 to not use UIDs and GIDs below 1000. However e.g. in RHEL6 to recommendation was not below 500. It looks like 500 is the value most if not all Linux distributions and other UNIX systems use strictly for system purposes. And since with the rfc2307 schema AD can be the source for user an group data for many different systems the configuration created by realmd automatically should be as open as possible to avoid surprises in the sense that some users and groups are available on one system but not visible on others.

In the end it is up to the AD administrator to make sure that there are no ID collisions with local users.

So, I would prefer not to change the lower value. But as an alternative you might want to open a new ticket to make this part of the generated smb.conf configurable via /etc/realmd.conf.

Comment 15 Erinn Looney-Triggs 2018-09-04 14:56:15 UTC
Done in 1625289, thanks.

Comment 17 errata-xmlrpc 2018-10-30 11:02:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3190