Prunk Dump
2018-Jan-12 13:23 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
Hi Samba team ! I have some conflicts between uid stored in the rfc2307 attributes and some local uid from idmap.ldb My network : ------------------ I have three samba AD DC with sysvol replication. Sadly, as I don't have some other machines, the three DC also share my user's Home and Profile directories. So I need at least : -> Builtin User/Group ID mapping between DCs (easy) -> Domain User/Group ID mapping between DCs -> Computer IDs that does not conflicts with the other ID (computer accounts are not used on the shares) How I currenly do : --------------------------- I don't use ADUC. So to create a new user : -> I use the samba-tool command always on the same DC (say DC1). -> One local xidNumber is generated in idmap.ldb -> So I take the xidNumber and I put it in the rfc2307 uidNumber attribute. I do the same manner for creatings groups. The problem come with the computer accounts of Windows machine. Because as the accounts are created from clients, I have no control on the ID generation. How the problem appear : ----------------------------------- -> I create a user "myuser" on DC1. -> A local xidNumber = 3000025 (for example) is created locally and copied to the rfc2307 attributes. -> On the others DCs, there is no local xidNumber for "myuser" because the rfc2307 attribute is already set. -> Next I join a new Windows computer on the Domain. -> On DC1, no problem, the local xidNumber prevent conflict with the new created machine local ID -> But on DC2, sometimes, a local xidNumber of 3000025 (like myuser) is allocated for the new computer and myuser lost sometimes the access to the shares ( sometimes winbind say that the files are owned by "myuser", sometimes it say that they are owned by the machine). Is there a way to say to Samba to use different ranges for user/group xidNumber and computer xidNumber ? Does someone have an idea how to solve my problem ? Thanks ! Baptiste.
Rowland Penny
2018-Jan-12 14:00 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On Fri, 12 Jan 2018 14:23:36 +0100 Prunk Dump via samba <samba at lists.samba.org> wrote:> Hi Samba team ! > > I have some conflicts between uid stored in the rfc2307 attributes and > some local uid from idmap.ldb > > My network : > ------------------ > I have three samba AD DC with sysvol replication. Sadly, as I don't > have some other machines, the three DC also share my user's Home and > Profile directories. So I need at least : > -> Builtin User/Group ID mapping between DCs (easy) > -> Domain User/Group ID mapping between DCs > -> Computer IDs that does not conflicts with the other ID > (computer accounts are not used on the shares) > > > How I currenly do : > --------------------------- > I don't use ADUC. So to create a new user : > -> I use the samba-tool command always on the same DC (say DC1). > -> One local xidNumber is generated in idmap.ldb > -> So I take the xidNumber and I put it in the rfc2307 uidNumber > attribute. > > I do the same manner for creatings groups. > > The problem come with the computer accounts of Windows machine. > Because as the accounts are created from clients, I have no control on > the ID generation. > > > How the problem appear : > ----------------------------------- > -> I create a user "myuser" on DC1. > -> A local xidNumber = 3000025 (for example) is created locally and > copied to the rfc2307 attributes. > -> On the others DCs, there is no local xidNumber for "myuser" because > the rfc2307 attribute is already set. > -> Next I join a new Windows computer on the Domain. > -> On DC1, no problem, the local xidNumber prevent conflict with the > new created machine local ID > -> But on DC2, sometimes, a local xidNumber of 3000025 (like myuser) > is allocated for the new computer and myuser lost sometimes the access > to the shares ( sometimes winbind say that the files are owned by > "myuser", sometimes it say that they are owned by the machine). > > Is there a way to say to Samba to use different ranges for user/group > xidNumber and computer xidNumber ? > > Does someone have an idea how to solve my problem ? > > Thanks ! > > Baptiste. >Why do you feel you have to have a Unix ID for a computer ? Also using the xidNumber for the rfc2307 ID isn't a good idea, partially for the reason you have found. The contents of idmap.ldb on different DCs is highly likely to be different unless you sync idmap.ldb from the first DC to all others. Rowland
Björn JACKE
2018-Jan-12 14:42 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On 2018-01-12 at 14:23 +0100 Prunk Dump via samba sent off:> I have some conflicts between uid stored in the rfc2307 attributes and > some local uid from idmap.ldbyou should not set up any share except for the default sysvol/netlogon share on the AD DC. If you have no other machine available you can set up a member server for file shares via a lxc container on the same physical machine while still having it logically separated from the DC. The problem with missing posix IDs exists because these days Windows clients occasionally work with their machine account instead of the connecting user account. One option is to assign rfc2307 attributes also for all the machine accounts, too. The other option is to avoid using rfc2307 idmapping all together and not use idmap ad on the member server but idmap rid or idmap autorid instead on the member server, that will work reliably for any user even when no uidnumber/gidnumber attributes had been assigned. Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
Marco Gaiarin
2018-Jan-12 16:15 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
Mandi! Björn JACKE via samba In chel di` si favelave...> machine account instead of the connecting user account. One option is to assign > rfc2307 attributes also for all the machine accounts, too. The other option isSome drawbacks on that? Clearly, apart the management cost of assigning an UID to machine accounts? Clearly, also 'Domain Computers' group have to get assigned an GID, right? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Possibly Parallel Threads
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers