+++ This bug was initially created as a clone of Bug #1482926 +++
Description of problem:
realm join --client-software=winbind
creates and outdated Samba configuration. It adds the following parameters to the [global] section of the smb.conf file:
idmap backend = tdb
idmap gid = 10000-2000000
idmap uid = 10000-2000000
Those have been deprecated and replaced. Also it should use the rid backend for the domain it joined. The config should look like this:
idmap config * : range = 1000000-1999999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 100000000-199999999
where the DOMAIN is the domain name realm joined the machine too.
This needs to be fixed in RHEL7 too!
Moving the priority up. We have to many customer cases which wrong ID mapping configuration. We need to make sure our tools behave correctly.
The Samba documentation will get a rewrite for RHEL 7.5. So we need to make sure we get a correct configuration if we describe 'realm join' in the documentation.
Additional discussion from https://bugzilla.redhat.com/show_bug.cgi?id=1487145:
Many thanks for your quick follow-up.
Thanks for notifying me of the already existing bug on the configuration format (I've added myself to the CC list on that bug).
I understand that without RFC2307bis attributes in AD the chosen backend becomes "tdb" which is writable; if the resolution of bug #1484072 will make realmd create a default ("*", catch all) idmap section or a dedicated one ("DOMAIN") plus a default one ("*", catch anything else) but always using a writable backend, either way I agree that this issue will not exist.
But I respectfully dissent on the fact that, in presence of RFC2307bis attributes in AD, it is ok to have only that readonly idmap backend, because:
*) first of all it is detected as an invalid smb.conf by testparm and winbind does not start at all
*) anyway, the main reason for using winbind instead of sssd is better support for trusted AD domains/forests (which users could come from), and those domains could have no RFC2307bis attributes, so a default ("*", catch all) idmap section really should be writable (and, thinking of other domains/forests, really "autorid", not "tdb" nor "rid", is the only reasonable choice for the default idmap section, imho)
Lastly, I will follow-up with a ticket on authconfig (since Samba docs explicitly discourages adding winbind to the shadow line, even warning of possible "harm").
To sum it up: if you agree with my reasoning above and if you think that the remaining issue will be taken care of during resolution of bug #1484072 then feel free to close this one as a duplicate.
Many thanks again.
Further (authoritative and up-to-date) info on Winbind configuration:
It is explicitly stated that an "ad" backend *must* be supplemented with a default writable backend: the BUILTIN local users/groups are always present and must be taken care of (besides any considerations on further trusted domains that I added above).
*** Bug 1487145 has been marked as a duplicate of this bug. ***
Yes, looks fine for me.
I'd further add, though this may need to be a separate bug report (let me know) that when using the automatic-id-mapping=no option (implying rfc2307 support) the smb.conf that is generated is also very broken (especially with newer winbind versions in RHEL 7.5 and 7.6):
kerberos method = system keytab
template homedir = /home/%U
workgroup = AD
template shell = /bin/bash
security = ads
netbios name = TESTKITCHEN-CUB
realm = AD.COLORADO.EDU
idmap schema = rfc2307
idmap backend = ad
idmap gid = 500-4294967296
idmap uid = 500-4294967296
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no
That gid and uid floor looks, well very bad to begin with, isn't anything < 1000 supposed to be for system use? And of course those options are deprecated in favor of 'idmap config * : range'
Command run to get that config:
realm join --client-software=winbind --computer-ou='OU=Computers,DC=ad,DC=colorado,DC=edu' --automatic-id-mapping=no ad.colorado.edu
The 'idmap config ...' option will be available with the next RHEL release.
About the lower value of the ID ranges, you are right that it is recommended in RHEL7 to not use UIDs and GIDs below 1000. However e.g. in RHEL6 to recommendation was not below 500. It looks like 500 is the value most if not all Linux distributions and other UNIX systems use strictly for system purposes. And since with the rfc2307 schema AD can be the source for user an group data for many different systems the configuration created by realmd automatically should be as open as possible to avoid surprises in the sense that some users and groups are available on one system but not visible on others.
In the end it is up to the AD administrator to make sure that there are no ID collisions with local users.
So, I would prefer not to change the lower value. But as an alternative you might want to open a new ticket to make this part of the generated smb.conf configurable via /etc/realmd.conf.
Done in 1625289, thanks.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.