Björn JACKE
2018-Jan-12 17:14 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On 2018-01-12 at 16:56 +0000 Rowland Penny sent off:> Surely the authentication of choice would be kerberos and this wouldn't > require a posix account.Rowland, you sound very confident, but still that doesn't make it right. The posix account needs to exist for smbd to be able to switch to the context of the connecting (computer) user. This is not a matter of the authentication mechanism. Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
Rowland Penny
2018-Jan-12 17:27 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On Fri, 12 Jan 2018 18:14:05 +0100 Björn JACKE via samba <samba at lists.samba.org> wrote:> On 2018-01-12 at 16:56 +0000 Rowland Penny sent off: > > Surely the authentication of choice would be kerberos and this > > wouldn't require a posix account. > > Rowland, you sound very confident, but still that doesn't make it > right. The posix account needs to exist for smbd to be able to switch > to the context of the connecting (computer) user. This is not a > matter of the authentication mechanism. > > BjörnAs far as I am aware, the client connects to a DC to authenticate a user and before the user is authenticated, the client is checked to see if it is a domain member. The method of choice for the computer authentication is kerberos, this does not require posix attributes. I am not disputing what you say, I am just asking for concrete proof that a computer account MUST have a uidNumber account. Rowland
Prunk Dump
2018-Jan-12 20:01 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
Thank you very much for your help !! The problem is that I need a way to create the ID numbers without overwriting the previous one as I don't use ADUC but shell scripts. This is why I use the xidNumber generation (on one specific DC) that take care of that. This idea is not from me, it was used long time ago by a Spanish IT that often come here ;) ( but his method has changed maybe .... ) Is there a way built in Samba to do it ? Because, as my shares are also exported with NFSv4, I need consistent id mapping between Samba and NFS. This also help backing up files because they can be restored on any file server by saving the ACLs and xattrs. Do you think that is a good idea to assign to rfc2307 the xidNumber + 100000 to avoid idmap.ldb overwriting the ID ? But there is still a problem for computer accounts. Is there exist a automatic way to assign uidNumbers to computers when joining to the domain ? Thank again ! Baptiste. 2018-01-12 18:27 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:> On Fri, 12 Jan 2018 18:14:05 +0100 > Björn JACKE via samba <samba at lists.samba.org> wrote: > >> On 2018-01-12 at 16:56 +0000 Rowland Penny sent off: >> > Surely the authentication of choice would be kerberos and this >> > wouldn't require a posix account. >> >> Rowland, you sound very confident, but still that doesn't make it >> right. The posix account needs to exist for smbd to be able to switch >> to the context of the connecting (computer) user. This is not a >> matter of the authentication mechanism. >> >> Björn > > As far as I am aware, the client connects to a DC to authenticate a > user and before the user is authenticated, the client is checked to see > if it is a domain member. The method of choice for the computer > authentication is kerberos, this does not require posix attributes. > > I am not disputing what you say, I am just asking for concrete proof > that a computer account MUST have a uidNumber account. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Marco Gaiarin
2018-Jan-15 09:51 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
Mandi! Rowland Penny via samba In chel di` si favelave...> I am not disputing what you say, I am just asking for concrete proof > that a computer account MUST have a uidNumber account.Rowland, it is not (only) a matter of authentication, it is a matter of 'act' with machine account. I've digged a bit but found nothing than (i use WPKG as deployment system, it is only an example): https://wpkg.org/System_User https://wpkg.org/SYSTEM_user_Command_Prompt probably was some old thread in mailing list; anyway, SYSTEM user can act (eg, access shares) with the machine account credentials; AFAIK accessing as SYSTEM to a share will trigger an access with machine account, and as fallback as anonymous/Everyone. So, if you mean that machine account can auth without UID, it is right; if they need access (non anonymous) to some share, i suppose a UID is needed. I hope i was clear. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Possibly Parallel Threads
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Avoiding uid conflicts between rfc2307 user/groups and computers