Avoiding uid conflicts between rfc2307 user/groups and computers

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Avoiding uid conflicts between rfc2307 user/groups and computers

Samba - General mailing list
Hi Samba team !

I have some conflicts between uid stored in the rfc2307 attributes and
some local uid from idmap.ldb

My network :
------------------
I have three samba AD DC with sysvol replication. Sadly, as I don't
have some other machines, the three DC also share my user's Home and
Profile directories. So I need at least :
-> Builtin User/Group ID mapping between DCs (easy)
-> Domain User/Group ID mapping between DCs
-> Computer IDs that does not conflicts with the other ID
(computer accounts are not used on the shares)


How I currenly do :
---------------------------
I don't use ADUC. So to create a new user :
-> I use the samba-tool command always on the same DC (say DC1).
-> One local xidNumber is generated in idmap.ldb
-> So I take the xidNumber and I put it in the rfc2307 uidNumber attribute.

I do the same manner for creatings groups.

The problem come with the computer accounts of Windows machine.
Because as the accounts are created from clients, I have no control on
the ID generation.


How the problem appear :
-----------------------------------
-> I create a user "myuser" on DC1.
-> A local xidNumber = 3000025 (for example) is created locally and
copied to the rfc2307 attributes.
-> On the others DCs, there is no local xidNumber for "myuser" because
the rfc2307 attribute is already set.
-> Next I join a new Windows computer on the Domain.
-> On DC1, no problem, the local xidNumber prevent conflict with the
new created machine local ID
-> But on DC2, sometimes, a local xidNumber of 3000025 (like myuser)
is allocated for the new computer and myuser lost sometimes the access
to the shares ( sometimes winbind say that the files are owned by
"myuser", sometimes it say that they are owned by the machine).

Is there a way to say to Samba to use different ranges for user/group
xidNumber and computer xidNumber ?

Does someone have an idea how to solve my problem ?

Thanks !

Baptiste.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding uid conflicts between rfc2307 user/groups and computers

Samba - General mailing list
On Fri, 12 Jan 2018 14:23:36 +0100
Prunk Dump via samba <[hidden email]> wrote:

> Hi Samba team !
>
> I have some conflicts between uid stored in the rfc2307 attributes and
> some local uid from idmap.ldb
>
> My network :
> ------------------
> I have three samba AD DC with sysvol replication. Sadly, as I don't
> have some other machines, the three DC also share my user's Home and
> Profile directories. So I need at least :
> -> Builtin User/Group ID mapping between DCs (easy)
> -> Domain User/Group ID mapping between DCs
> -> Computer IDs that does not conflicts with the other ID
> (computer accounts are not used on the shares)
>
>
> How I currenly do :
> ---------------------------
> I don't use ADUC. So to create a new user :
> -> I use the samba-tool command always on the same DC (say DC1).
> -> One local xidNumber is generated in idmap.ldb
> -> So I take the xidNumber and I put it in the rfc2307 uidNumber
> attribute.
>
> I do the same manner for creatings groups.
>
> The problem come with the computer accounts of Windows machine.
> Because as the accounts are created from clients, I have no control on
> the ID generation.
>
>
> How the problem appear :
> -----------------------------------
> -> I create a user "myuser" on DC1.
> -> A local xidNumber = 3000025 (for example) is created locally and
> copied to the rfc2307 attributes.
> -> On the others DCs, there is no local xidNumber for "myuser" because
> the rfc2307 attribute is already set.
> -> Next I join a new Windows computer on the Domain.
> -> On DC1, no problem, the local xidNumber prevent conflict with the
> new created machine local ID
> -> But on DC2, sometimes, a local xidNumber of 3000025 (like myuser)
> is allocated for the new computer and myuser lost sometimes the access
> to the shares ( sometimes winbind say that the files are owned by
> "myuser", sometimes it say that they are owned by the machine).
>
> Is there a way to say to Samba to use different ranges for user/group
> xidNumber and computer xidNumber ?
>
> Does someone have an idea how to solve my problem ?
>
> Thanks !
>
> Baptiste.
>

Why do you feel you have to have a Unix ID for a computer ?

Also using the xidNumber for the rfc2307 ID isn't a good idea,
partially for the reason you have found. The contents of idmap.ldb on
different DCs is highly likely to be different unless you sync
idmap.ldb from the first DC to all others.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding uid conflicts between rfc2307 user/groups and computers

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2018-01-12 at 14:23 +0100 Prunk Dump via samba sent off:
> I have some conflicts between uid stored in the rfc2307 attributes and
> some local uid from idmap.ldb

you should not set up any share except for the default sysvol/netlogon share on
the AD DC. If you have no other machine available you can set up a member
server for file shares via a lxc container on the same physical machine while
still having it logically separated from the DC. The problem with missing posix
IDs exists because these days Windows clients occasionally work with their
machine account instead of the connecting user account. One option is to assign
rfc2307 attributes also for all the machine accounts, too. The other option is
to avoid using rfc2307 idmapping all together and not use idmap ad on the
member server but idmap rid or idmap autorid instead on the member server, that
will work reliably for any user even when no uidnumber/gidnumber attributes had
been assigned.

Björn
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding uid conflicts between rfc2307 user/groups and computers

Samba - General mailing list
Mandi! Björn JACKE via samba
  In chel di` si favelave...

> machine account instead of the connecting user account. One option is to assign
> rfc2307 attributes also for all the machine accounts, too. The other option is

Some drawbacks on that? Clearly, apart the management cost of assigning
an UID to machine accounts?

Clearly, also 'Domain Computers' group have to get assigned an GID,
right?


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding uid conflicts between rfc2307 user/groups and computers

Samba - General mailing list
On Fri, 12 Jan 2018 17:15:44 +0100
Marco Gaiarin via samba <[hidden email]> wrote:

> Mandi! Björn JACKE via samba
>   In chel di` si favelave...
>
> > machine account instead of the connecting user account. One option
> > is to assign rfc2307 attributes also for all the machine accounts,
> > too. The other option is
>
> Some drawbacks on that? Clearly, apart the management cost of
> assigning an UID to machine accounts?

Not really a problem, a computer account is just a user account with
another objectclass.

>
> Clearly, also 'Domain Computers' group have to get assigned an GID,
> right?

Yes.

The question is, do you need to do this ? Will a computer own anything
on a Unix machine ?

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding uid conflicts between rfc2307 user/groups and computers

Samba - General mailing list
On 2018-01-12 at 16:24 +0000 Rowland Penny via samba sent off:
> > Clearly, also 'Domain Computers' group have to get assigned an GID,
> > right?
>
> Yes.
>
> The question is, do you need to do this ? Will a computer own anything
> on a Unix machine ?

it's not the question if he owns anything. It's enough that the machine uses
the machine account during the tree connect
to make it fail without a corresponding posix account.

Björn
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding uid conflicts between rfc2307 user/groups and computers

Samba - General mailing list
On Fri, 12 Jan 2018 17:42:44 +0100
Björn JACKE via samba <[hidden email]> wrote:

> On 2018-01-12 at 16:24 +0000 Rowland Penny via samba sent off:
> > > Clearly, also 'Domain Computers' group have to get assigned an
> > > GID, right?
> >
> > Yes.
> >
> > The question is, do you need to do this ? Will a computer own
> > anything on a Unix machine ?
>
> it's not the question if he owns anything. It's enough that the
> machine uses the machine account during the tree connect
> to make it fail without a corresponding posix account.
>
> Björn

Surely the authentication of choice would be kerberos and this wouldn't
require a posix account.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding uid conflicts between rfc2307 user/groups and computers

Samba - General mailing list
On 2018-01-12 at 16:56 +0000 Rowland Penny sent off:
> Surely the authentication of choice would be kerberos and this wouldn't
> require a posix account.

Rowland, you sound very confident, but still that doesn't make it right. The
posix account needs to exist for smbd to be able to switch to the context of
the connecting (computer) user. This is not a matter of the authentication
mechanism.

Björn
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding uid conflicts between rfc2307 user/groups and computers

Samba - General mailing list
On Fri, 12 Jan 2018 18:14:05 +0100
Björn JACKE via samba <[hidden email]> wrote:

> On 2018-01-12 at 16:56 +0000 Rowland Penny sent off:
> > Surely the authentication of choice would be kerberos and this
> > wouldn't require a posix account.
>
> Rowland, you sound very confident, but still that doesn't make it
> right. The posix account needs to exist for smbd to be able to switch
> to the context of the connecting (computer) user. This is not a
> matter of the authentication mechanism.
>
> Björn

As far as I am aware, the client connects to a DC to authenticate a
user and before the user is authenticated, the client is checked to see
if it is a domain member. The method of choice for the computer
authentication is kerberos, this does not require posix attributes.

I am not disputing what you say, I am just asking for concrete proof
that a computer account MUST have a uidNumber account.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding uid conflicts between rfc2307 user/groups and computers

Samba - General mailing list
Thank you very much for your help !!

The problem is that I need a way to create the ID numbers without
overwriting the previous one as I don't use ADUC but shell scripts.
This is why I use the xidNumber generation (on one specific DC) that
take care of that. This idea is not from me, it was used long time ago
by a Spanish IT that often come here ;) ( but his method has changed
maybe .... )

Is there a way built in Samba to do it ? Because, as my shares are
also exported with NFSv4, I need consistent id mapping between Samba
and NFS. This also help backing up files because they can be restored
on any file server by saving the ACLs and xattrs.

Do you think that is a good idea to assign to rfc2307 the xidNumber +
100000 to avoid idmap.ldb overwriting the ID ?

But there is still a problem for computer accounts. Is there exist a
automatic way to assign uidNumbers to computers when joining to the
domain ?

Thank again !

Baptiste.


2018-01-12 18:27 GMT+01:00 Rowland Penny via samba <[hidden email]>:

> On Fri, 12 Jan 2018 18:14:05 +0100
> Björn JACKE via samba <[hidden email]> wrote:
>
>> On 2018-01-12 at 16:56 +0000 Rowland Penny sent off:
>> > Surely the authentication of choice would be kerberos and this
>> > wouldn't require a posix account.
>>
>> Rowland, you sound very confident, but still that doesn't make it
>> right. The posix account needs to exist for smbd to be able to switch
>> to the context of the connecting (computer) user. This is not a
>> matter of the authentication mechanism.
>>
>> Björn
>
> As far as I am aware, the client connects to a DC to authenticate a
> user and before the user is authenticated, the client is checked to see
> if it is a domain member. The method of choice for the computer
> authentication is kerberos, this does not require posix attributes.
>
> I am not disputing what you say, I am just asking for concrete proof
> that a computer account MUST have a uidNumber account.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Avoiding uid conflicts between rfc2307 user/groups and computers

Samba - General mailing list
On Fri, 12 Jan 2018 21:01:57 +0100
Prunk Dump via samba <[hidden email]> wrote:

> Thank you very much for your help !!
>
> The problem is that I need a way to create the ID numbers without
> overwriting the previous one as I don't use ADUC but shell scripts.
> This is why I use the xidNumber generation (on one specific DC) that
> take care of that. This idea is not from me, it was used long time ago
> by a Spanish IT that often come here ;) ( but his method has changed
> maybe .... )
>
> Is there a way built in Samba to do it ? Because, as my shares are
> also exported with NFSv4, I need consistent id mapping between Samba
> and NFS. This also help backing up files because they can be restored
> on any file server by saving the ACLs and xattrs.
>
> Do you think that is a good idea to assign to rfc2307 the xidNumber +
> 100000 to avoid idmap.ldb overwriting the ID ?

The problem is, you are thinking in the wrong direction ;-)
If you give a user a uidNumber, or a group a gidNumber, these will be
used instead of the xidNumbers found in idmap.ldb, you do not need to
alter idmap.ldb at all.
The way ADUC works, is by using a couple of attributes, that, by default
Samba AD doesn't have. These are 'msSFU30MaxUidNumber' &
'msSFU30MaxGidNumber' and they hold the next uidNumber & gidNumber.
They should be in:
dn:
CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com

Where 'samdom' is your lowercase workgroup and
'DC=samdom,DC=example,DC=com' is your realm/dns domain.

If you can write scripts, I am sure you can figure out how to use
them ;-)
If not, contact me off list and I will provide a sample.

>
> But there is still a problem for computer accounts. Is there exist a
> automatic way to assign uidNumbers to computers when joining to the
> domain ?
>

Not when the computer is joined (as far as I am aware), but you may be
able to pre-create the computers object (with uidNumber) before the
join, but I have never tried it.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba