Univention Bugzilla – Bug 41396
Test site specific sambaHomePath for ou-overlapping user accounts
Last modified: 2023-06-12 15:39:38 CEST
(In reply to Sönke Schwardt-Krummrich from comment #0) > → if the customer wants e.g. a per OU-specific home directory, they have > to do manual steps: e.g. create an import hook, setting school-specific > DNS entries via S4 connector and so on This scenario has to be tested. +++ This bug was initially created as a clone of Bug #41210 +++ There should be a new chapter documenting the pros and cons of ou-overlapping user accounts. There a some topic that have to be mentioned explicitly: 1) handling of sambaHomePath → there will be one static default in UCS@school → if the customer wants e.g. a per OU-specific home directory, they have to do manual steps: e.g. create an import hook, setting school-specific DNS entries via S4 connector and so on To be continued
Rough setup steps for samba4: 1) ucr set ucsschool/import/set/sambahome=schoolserver After setting this variable, all new imported users should use the following sambaHomePath: "\\schoolserver\USERNAME". Existing user object are not altered! 2) On each school server execute eval "$(ucr shell)" ucr set \ connector/s4/mapping/dns/forward_zone/schoolserver.$domainname/static/ipv4=\ "$interfaces_eth0_address" 3) create DNS forward zone entry "schoolserver" pointing to a valid IP address (e.g. the IP address of the DC master). This might be used in a scenario that uses a central fileserver for all users. In this case perform only steps 1) and 3) :-) 4) ucr set samba/netbios/aliases=schoolserver invoke-rc.d samba restart All school servers should now resolve "schoolserver.$domainname" to their local IP address, whereas all other DNS server should resolve the FQDN to the IP address defined in step 3).
Created attachment 7716 [details] host_record_override.diff Basically this works, at least for NTLM authentication (kerberos not, see below). The forward_zone override is a bit of a hack, as it creates a forward_zone object with name "schoolserver.$domainname". The attached patch introduces a new UCR variable set to allow overriding of DNS host_record (ipv4 and ipv6). I guess that is a cleaner approach. With the attached patch the setup was like this: root@master10:~# ucr set ucsschool/import/set/sambahome=schoolserver root@master10:~# /usr/share/ucs-school-import/scripts/ucs-school-create-dummy-users school1 > 1 root@master10:~# /usr/share/ucs-school-import/scripts/ucs-school-import 1 root@master10:~# ucr set "connector/s4/mapping/dns/host_record/schoolserver.$domainname/static/ipv4"=10.200.8.12 root@master10:~# service univention-s4-connector restart root@master10:~# udm dns/host_record create \ --superordinate "zoneName=ar41i1.qa,cn=dns,$ldap_base" \ --set name=schoolserver \ --set a=10.200.8.10 root@master10:~# host schoolserver schoolserver.ar41i1.qa has address 10.200.8.10 root@slave12:~# host schoolserver schoolserver.ar41i1.qa has address 10.200.8.12 root@slave12:~# kinit g.lehmann1 g.lehmann1@AR41I1.QA's Password: root@slave12:~# smbclient -k //schoolserver.ar41i1.qa/sysvol -c quit gss_init_sec_context failed with [ Miscellaneous failure (see text): Server (cifs/schoolserver.ar41i1.qa@AR41I1.QA) unknown] SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR session setup failed: NT_STATUS_INTERNAL_ERROR root@slave12:~# smbclient //schoolserver.ar41i1.qa/sysvol \ -Ug.lehmann1%univention -c quit Domain=[AR41I1] OS=[Windows 6.1] Server=[Samba 4.3.7-Debian]
Kerberos access to the CIFS service on schoolserver.$domainname can be enabled by attaching the appropriate service principal name to the machine account of the UCS@school Slave PDC: eval "$(ucr shell)" samba-tool spn add "cifs/schoolserver.$domainname" "$hostname$"
Ok, tested, gave recommendations and fixed Bug 41482 for this, I guess that covers the scope of this bug, doesn't it?
(In reply to Arvid Requate from comment #4) > Ok, tested, gave recommendations and fixed Bug 41482 for this, I guess that > covers the scope of this bug, doesn't it? Yes, thx a lot. Converting this bug now into a bug against UCS@school manual.
Added text to the WIP import-tool-documentation (import-doku.odt document) in OXDrive.
The netbios alias seems to be crucial, at least in UCS 4.2 Samba. Somehow Samba calls the dfs_samba4 module also for normal shares (e.g. the user home share) and this returns NT_STATUS_INVALID_PARAMETER if the server name doesn't fit anything he knows. So I think we need to add this in the documentation. > 4) ucr set samba/netbios/aliases=schoolserver > invoke-rc.d samba restart While apparently not strictly required for the Windows-Client currently I would also suggest to add the schoolserver alias as servicePrincipalName to the machine account of the school server. That way, kerberized access works too for the alias: > eval "$(ucr shell)" > samba-tool spn add "cifs/schoolserver.$domainname" "$hostname$"
Side note: This schoolserver FQDN DNS alias may also be very useful for the authorization of automatic printer driver downloads (point'n'print, see Bug 43252#c5). Someone should actually test this and report if it's enough to allow printer driver download from this generic "schoolserver" FQDN (via GPO) to make it work for all UCS@school Samba/AD Slave PDCs and the Microsoft Windows clients joined to them. The Kerberos part might even come into play here (but then, probably not).
(In reply to Arvid Requate from comment #8) > Side note: This schoolserver FQDN DNS alias may also be very useful for the > authorization of automatic printer driver downloads (point'n'print, see Bug > 43252#c5). Someone should actually test this and report if it's enough to > allow printer driver download from this generic "schoolserver" FQDN (via > GPO) to make it work for all UCS@school Samba/AD Slave PDCs and the > Microsoft Windows clients joined to them. The Kerberos part might even come > into play here (but then, probably not). Indeed that would be very useful. I will ask one customer to verify.
This bug has a MS of 4.1, which is out of maintenance. Is this bug still relevant?
Still an issue AFAIK. I removed the target milestone.
Yes, funny enough I came across this today with a customer (UCS 4.3-2). Windows 7 was working fine, but Windows 10 (1803 and 1809) could not connect to sysvol and netlogon shares via the DNS alias. It would be really helpful to have a clean approach in the product.
I created a card in Trello in Ideas for prioritization.
This issue has been filled against UCS@school 4.1 (R2). The maintenance with bug and security fixes for UCS@school 4.1 (R2) has ended on 5th of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3 (or later). Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.