[samba] idmap question

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[samba] idmap question

Samba - General mailing list
Hi all,

What is the real purpose if the following lines when using idmap-rid or
idmap-ad:

# Default idmap config for local BUILTIN accounts and groups
idmap config * : backend = tdb
idmap config * : range = 3000-7999

When using the next two lines

# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid [or ad]
idmap config SAMDOM : range = 10000-999999


AD users will be in range 10000-999999, /etc/passwd would be in range
0-2999, what kind of users would be added in range 3000-7999?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [samba] idmap question

Samba - General mailing list
On Thu, 10 Aug 2017 11:44:26 +0200
mathias dufresne via samba <[hidden email]> wrote:

> Hi all,
>
> What is the real purpose if the following lines when using idmap-rid
> or idmap-ad:
>
> # Default idmap config for local BUILTIN accounts and groups
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> When using the next two lines
>
> # idmap config for the SAMDOM domain
> idmap config SAMDOM : backend = rid [or ad]
> idmap config SAMDOM : range = 10000-999999
>
>
> AD users will be in range 10000-999999, /etc/passwd would be in range
> 0-2999, what kind of users would be added in range 3000-7999?

the '*' range is for the 'BUILTIN' users and groups (more info here:
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

It is also used for trusted domains that do not have an idmap config
range set in smb.conf.

You can set the ID for a '*' user or group by giving it a uidNumber or
gidNumber, this moves it to the 'DOMAIN' range, the most usual one to
move is 'Domain Users'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [samba] idmap question

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai Mathias,

Type:  wbinfo --all-domains

You should see 3 domainnames.

BUILTIN => idmap config *
HOSTNAME => ? Dont know where this one maps to.
NTDOM => idmap config NTDOM

I use for example ( for debian ) the following.
I use this as followed.
 
    ## map id's outside to NT domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-2999

    ## map ids from the domain and (*) the range may not overlap !
    idmap config NTDOM : backend = ad
    idmap config NTDOM : schema_mode = rfc2307
    idmap config NTDOM : range = 10000-3999999

And i think, but i never use that you can match the hostname also.
Like,    
        idmap config HOSTNAME : backend = tdb
      idmap config HOSTNAME : range = 3000-9999
! But I cant confirm about the "HOSTNAME" part if thats 100% correct.

Id 0-1999   (local linux users) 0-999 for system users (*this can differ on an other os. )
2000-2999 BUILDIN\......   ( example is BUILDIN\administrators)
3000-9999 HOSTNAME\ ?
10000-99999 NTDOM\users  i start here at 10.000 because samba backend AD starts also at 10.000.

Now "NTDOM\Domain Admins" is member of : BUILDIN\administrators
And "NTDOM\Domain users" is member of : BUILDIN\users

SePrivileges should be set on : BUILDIN\administrators, and not as most examples show "domain admins"
And because of this you should always set : winbind expand groups = 2
But I preffer winbind expand groups = 4
Backtrace for example very thing backup related and see which groups are used and with SePrivileges you should set.

For me this has advantages, like.
Restricting logins based on linux and windows group/users, of uid/gid ranges.
And for me more flexability in use of winbind or ldap things.

(an example, sshd_config: AllowGroups linuxsshgroup winsshgroup)
* Note: for this user and group MUST have a gid.
This also matches pam restrictions better, kerberos had minimal of uid=1000

For RID its the same, but see AD/RID advantages and disadvantages also.

Hope this helps a bit.


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> mathias dufresne via samba
> Verzonden: donderdag 10 augustus 2017 11:44
> Aan: samba
> Onderwerp: [Samba] [samba] idmap question
>
> Hi all,
>
> What is the real purpose if the following lines when using
> idmap-rid or
> idmap-ad:
>
> # Default idmap config for local BUILTIN accounts and groups
> idmap config * : backend = tdb idmap config * : range = 3000-7999
>
> When using the next two lines
>
> # idmap config for the SAMDOM domain
> idmap config SAMDOM : backend = rid [or ad] idmap config
> SAMDOM : range = 10000-999999
>
>
> AD users will be in range 10000-999999, /etc/passwd would be
> in range 0-2999, what kind of users would be added in range 3000-7999?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [samba] idmap question

Samba - General mailing list
On Thu, 10 Aug 2017 12:19:36 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Hai Mathias,
>
> Type:  wbinfo --all-domains
>
> You should see 3 domainnames.
>
> BUILTIN => idmap config *
> HOSTNAME => ? Dont know where this one maps to.
> NTDOM => idmap config NTDOM

On a Unix domain member, I get 4

BUILTIN
HOSTNAME
NTDOM
EXAMPLE

I have no idea where 'EXAMPLE' comes from, I have never set up any
smb.conf that contains 'workgroup = EXAMPLE' on the Unix domain member.

>
> I use for example ( for debian ) the following.
> I use this as followed.
>  
>     ## map id's outside to NT domain to tdb files.
>     idmap config *: backend = tdb
>     idmap config *: range = 2000-2999
>
>     ## map ids from the domain and (*) the range may not overlap !
>     idmap config NTDOM : backend = ad
>     idmap config NTDOM : schema_mode = rfc2307
>     idmap config NTDOM : range = 10000-3999999
>
> And i think, but i never use that you can match the hostname also.
> Like,    
> idmap config HOSTNAME : backend = tdb
>       idmap config HOSTNAME : range = 3000-9999
> ! But I cant confirm about the "HOSTNAME" part if thats 100% correct.

It probably would work, but I have never tried it.

>
> Id 0-1999   (local linux users) 0-999 for system users (*this can
> differ on an other os. ) 2000-2999 BUILDIN\......   ( example
> is BUILDIN\administrators) 3000-9999 HOSTNAME\ ?
> 10000-99999 NTDOM\users  i start here at 10.000 because samba
> backend AD starts also at 10.000.
>
> Now "NTDOM\Domain Admins" is member of : BUILDIN\administrators
> And "NTDOM\Domain users" is member of : BUILDIN\users
>
> SePrivileges should be set on : BUILDIN\administrators, and not as
> most examples show "domain admins" And because of this you should
> always set : winbind expand groups = 2 But I preffer winbind expand
> groups = 4 Backtrace for example very thing backup related and see
> which groups are used and with SePrivileges you should set.

Never tried this, but you are quite correct, you should NEVER give
'Domain Admins' a gidNumber. I do it another way, I create a group
'Unix Admins', give this group a gidNumber and add this to 'Domain
Admins'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [samba] idmap question

Samba - General mailing list
Thank you both for these replies.

Here, at work, "wbinfo --all-domains" gave 5 lines. Let's call MAINDOM the
domain my Samba member is joined to and TRUSTED1 and TRUSTED2 the two
others domains relied by trust relationship, the result is:

# wbinfo --all-domains
BUILTIN
HOSTNAME -> /etc/passwd & /etc/group (I think, words below about this)
MAINDOM
TRUSTED1
TRUSTED2

For me HOSTNAME is for users from /etc/passwd added with "smbpasswd -a". I
think that (and can't test yet until I'm back home but I won't have time to
verify that @home for next days) because as far as I remember, when using
"smbpasswd -a someLocalUser" there is no id mapping, the UID used is the
real one of this someLocalUser. I think that's why both range declared with
idmap directives must not overlap UID/GID from /etc/passwd and /etc/group.




2017-08-10 12:51 GMT+02:00 Rowland Penny via samba <[hidden email]>:

> On Thu, 10 Aug 2017 12:19:36 +0200
> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>
> > Hai Mathias,
> >
> > Type:  wbinfo --all-domains
> >
> > You should see 3 domainnames.
> >
> > BUILTIN       => idmap config *
> > HOSTNAME      => ? Dont know where this one maps to.
> > NTDOM         => idmap config NTDOM
>
> On a Unix domain member, I get 4
>
> BUILTIN
> HOSTNAME
> NTDOM
> EXAMPLE
>
> I have no idea where 'EXAMPLE' comes from, I have never set up any
> smb.conf that contains 'workgroup = EXAMPLE' on the Unix domain member.
>
>
Perhaps as here where there is trust relatinoship your EXAMPLE comes from
an old trust test you made?


> >
> > I use for example ( for debian ) the following.
> > I use this as followed.
> >
> >     ## map id's outside to NT domain to tdb files.
> >     idmap config *: backend = tdb
> >     idmap config *: range = 2000-2999
> >
> >     ## map ids from the domain and (*) the range may not overlap !
> >     idmap config NTDOM : backend = ad
> >     idmap config NTDOM : schema_mode = rfc2307
> >     idmap config NTDOM : range = 10000-3999999
> >
> > And i think, but i never use that you can match the hostname also.
> > Like,
> >       idmap config HOSTNAME : backend = tdb
> >       idmap config HOSTNAME : range = 3000-9999
> > ! But I cant confirm about the "HOSTNAME" part if thats 100% correct.
>
> It probably would work, but I have never tried it.
>

As I said above, I think the "HOSTNAME" domain from wbinfo --all-domains is
for users and groups from local files (/etc/passwd and /etc/group). As
already said, I could be wrong.


>
> >
> > Id 0-1999   (local linux users) 0-999 for system users (*this can
> > differ on an other os. ) 2000-2999    BUILDIN\......   ( example
> > is BUILDIN\administrators) 3000-9999  HOSTNAME\ ?
> > 10000-99999   NTDOM\users  i start here at 10.000 because samba
> > backend AD starts also at 10.000.
> >
> > Now "NTDOM\Domain Admins" is member of : BUILDIN\administrators
> > And "NTDOM\Domain users" is member of : BUILDIN\users
> >
> > SePrivileges should be set on : BUILDIN\administrators, and not as
> > most examples show "domain admins" And because of this you should
> > always set : winbind expand groups = 2 But I preffer winbind expand
> > groups = 4 Backtrace for example very thing backup related and see
> > which groups are used and with SePrivileges you should set.
>
> Never tried this, but you are quite correct, you should NEVER give
> 'Domain Admins' a gidNumber. I do it another way, I create a group
> 'Unix Admins', give this group a gidNumber and add this to 'Domain
> Admins'
>

I don't follow you both on that. I mean I don't understand what could be
the issue.

And using idmap-rid it is just impossible (according to my little knowledge
of Samba) to avoid giving UID or GID: if a user or group exists, it will
have a UID or GID using object's RID + low number of domain range from
"idmap config" config line.

So if there is some issue about giving "domain admins" a GID, I'd be glad
to understand it ;)


>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba