samba - Jan 2018 - Avoiding uid conflicts between rfc2307 user/groups and computers

Hi Samba team !

I have some conflicts between uid stored in the rfc2307 attributes and
some local uid from idmap.ldb

My network :
------------------
I have three samba AD DC with sysvol replication. Sadly, as I don't
have some other machines, the three DC also share my user's Home and
Profile directories. So I need at least :
-> Builtin User/Group ID mapping between DCs (easy)
-> Domain User/Group ID mapping between DCs
-> Computer IDs that does not conflicts with the other ID
(computer accounts are not used on the shares)


How I currenly do :
---------------------------
I don't use ADUC. So to create a new user :
-> I use the samba-tool command always on the same DC (say DC1).
-> One local xidNumber is generated in idmap.ldb
-> So I take the xidNumber and I put it in the rfc2307 uidNumber attribute.

I do the same manner for creatings groups.

The problem come with the computer accounts of Windows machine.
Because as the accounts are created from clients, I have no control on
the ID generation.


How the problem appear :
-----------------------------------
-> I create a user "myuser" on DC1.
-> A local xidNumber = 3000025 (for example) is created locally and
copied to the rfc2307 attributes.
-> On the others DCs, there is no local xidNumber for "myuser"
because
the rfc2307 attribute is already set.
-> Next I join a new Windows computer on the Domain.
-> On DC1, no problem, the local xidNumber prevent conflict with the
new created machine local ID
-> But on DC2, sometimes, a local xidNumber of 3000025 (like myuser)
is allocated for the new computer and myuser lost sometimes the access
to the shares ( sometimes winbind say that the files are owned by
"myuser", sometimes it say that they are owned by the machine).

Is there a way to say to Samba to use different ranges for user/group
xidNumber and computer xidNumber ?

Does someone have an idea how to solve my problem ?

Thanks !

Baptiste.

On Fri, 12 Jan 2018 14:23:36 +0100
Prunk Dump via samba <samba at lists.samba.org> wrote:
> Hi Samba team !
> 
> I have some conflicts between uid stored in the rfc2307 attributes and
> some local uid from idmap.ldb
> 
> My network :
> ------------------
> I have three samba AD DC with sysvol replication. Sadly, as I don't
> have some other machines, the three DC also share my user's Home and
> Profile directories. So I need at least :
> -> Builtin User/Group ID mapping between DCs (easy)
> -> Domain User/Group ID mapping between DCs
> -> Computer IDs that does not conflicts with the other ID
> (computer accounts are not used on the shares)
> 
> 
> How I currenly do :
> ---------------------------
> I don't use ADUC. So to create a new user :
> -> I use the samba-tool command always on the same DC (say DC1).
> -> One local xidNumber is generated in idmap.ldb
> -> So I take the xidNumber and I put it in the rfc2307 uidNumber
> attribute.
> 
> I do the same manner for creatings groups.
> 
> The problem come with the computer accounts of Windows machine.
> Because as the accounts are created from clients, I have no control on
> the ID generation.
> 
> 
> How the problem appear :
> -----------------------------------
> -> I create a user "myuser" on DC1.
> -> A local xidNumber = 3000025 (for example) is created locally and
> copied to the rfc2307 attributes.
> -> On the others DCs, there is no local xidNumber for "myuser"
because
> the rfc2307 attribute is already set.
> -> Next I join a new Windows computer on the Domain.
> -> On DC1, no problem, the local xidNumber prevent conflict with the
> new created machine local ID
> -> But on DC2, sometimes, a local xidNumber of 3000025 (like myuser)
> is allocated for the new computer and myuser lost sometimes the access
> to the shares ( sometimes winbind say that the files are owned by
> "myuser", sometimes it say that they are owned by the machine).
> 
> Is there a way to say to Samba to use different ranges for user/group
> xidNumber and computer xidNumber ?
> 
> Does someone have an idea how to solve my problem ?
> 
> Thanks !
> 
> Baptiste.
> 
Why do you feel you have to have a Unix ID for a computer ?

Also using the xidNumber for the rfc2307 ID isn't a good idea,
partially for the reason you have found. The contents of idmap.ldb on
different DCs is highly likely to be different unless you sync
idmap.ldb from the first DC to all others.

Rowland

On 2018-01-12 at 14:23 +0100 Prunk Dump via samba sent
off:
> I have some conflicts between uid stored in the rfc2307 attributes and
> some local uid from idmap.ldb
you should not set up any share except for the default sysvol/netlogon share on
the AD DC. If you have no other machine available you can set up a member
server for file shares via a lxc container on the same physical machine while
still having it logically separated from the DC. The problem with missing posix
IDs exists because these days Windows clients occasionally work with their
machine account instead of the connecting user account. One option is to assign
rfc2307 attributes also for all the machine accounts, too. The other option is
to avoid using rfc2307 idmapping all together and not use idmap ad on the
member server but idmap rid or idmap autorid instead on the member server, that
will work reliably for any user even when no uidnumber/gidnumber attributes had
been assigned.

Björn
-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

Mandi! Björn JACKE via samba
  In chel di` si favelave...
> machine account instead of the connecting user account. One option is to
assign
> rfc2307 attributes also for all the machine accounts, too. The other option
is
Some drawbacks on that? Clearly, apart the management cost of assigning
an UID to machine accounts?

Clearly, also 'Domain Computers' group have to get assigned an GID,
right?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)