On Thu, 2022-03-03 at 12:05 +0100, Lars Schimmer via samba wrote:> > > > > > Have you actually looked in AD, does Domain Users have a gidNumber > > attribute ? Do your users have the primaryGroupID attribute set to > > '513' ? Do the relevant users have a uidNumber attribute ? > > Why 513?Because that is the RID for Domain Users and all AD users are members of Domain Users because of it, even though they are never shown as a member anywhere in AD.> The Doamin Users Group does have a seperate gid and thats the > primary > group for all users, which all users do have set as gid.There is absolutely no reason to do that, because of what I explained above, all AD users are members of Domain Users without a gidNumber attribute.> > > The fact that the 'rid' idmap backend works, shows that Samba is > > working. When you change to the 'ad' backend and it doesn't work, > > usually means that there is something wrong with the uidNumber & > > gidNumber attributes in AD. > > Try running 'testparm -s', this may show errors. > > Yeah, thats the strange part.It did work with the AD config until we > did > clean up (remove accounts), disable SMBv1 and chanbge KrbTGTKLey.Why did you change the key ? I never change the key and have never had any problems. I think that changing the key manually should only be an act of last desperation.> So we did not change any UID oder GID. > And even if, as I did read the above thread correct, a UID and GID > in > range for any user should be enough to work, but it does not for any > user, except the admins. > And thats strange.Very strange and something that has never happened to myself.> > testparm -s shows like smbconf. correct network, smbv2 protocol, > idmap > ranges as expected. > > Do we need seperate user/group ranges in samba config?In what respect ? You should have two domains configured in smb.conf (unless you are using the autorid idmap backend). The first is the default or '*' domain, this is used for the 'Well Known SIDs' and anything outside the main domain, this only needs to be small, 2000 IDs are more than enough. The second domain (which uses the workgroup name to identify it) is for the users stored in AD. You will have to add the RFC2307 attributes if you use the 'ad' idmap backend. Whichever backend you use, you need to set a range for it in smb.conf. This range must cover all users in AD that you want to be mapped to Unix users, 'rid' and 'autorid' calculate the Unix ID from the RID, any Unix IDs that are outside the range set in smb.conf will be ignored. The same goes for the 'ad' backen, but in this case, any uidNumber or gidNumber attributes that are outside the range will be ignored, but Domain Users must have a gidNumber set and be inside the range, or all users will be ignored. Rowland
And.. Small side note, this is different per distro. cat /etc/adduser.conf |grep UID # FIRST_SYSTEM_[GU]ID to LAST_SYSTEM_[GU]ID inclusive is the range for UIDs # package, may assume that UIDs less than 100 are unallocated. FIRST_SYSTEM_UID=100 LAST_SYSTEM_UID=999 # FIRST_[GU]ID to LAST_[GU]ID inclusive is the range of UIDs of dynamically FIRST_UID=1000 LAST_UID=29999 So, based on that, (*a Debian Buster server).. Try to avoid these system ranges or at least think about these.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: donderdag 3 maart 2022 13:31 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problem with AD & idmap > > On Thu, 2022-03-03 at 12:05 +0100, Lars Schimmer via samba wrote: > > > > > > > > Have you actually looked in AD, does Domain Users have a gidNumber > > > attribute ? Do your users have the primaryGroupID attribute set to > > > '513' ? Do the relevant users have a uidNumber attribute ? > > > > Why 513? > > Because that is the RID for Domain Users and all AD users are members > of Domain Users because of it, even though they are never shown as a > member anywhere in AD. > > > The Doamin Users Group does have a seperate gid and thats the > > primary > > group for all users, which all users do have set as gid. > > There is absolutely no reason to do that, because of what I explained > above, all AD users are members of Domain Users without a gidNumber > attribute. > > > > > > The fact that the 'rid' idmap backend works, shows that Samba is > > > working. When you change to the 'ad' backend and it doesn't work, > > > usually means that there is something wrong with the uidNumber & > > > gidNumber attributes in AD. > > > Try running 'testparm -s', this may show errors. > > > > Yeah, thats the strange part.It did work with the AD config until we > > did > > clean up (remove accounts), disable SMBv1 and chanbge KrbTGTKLey. > > Why did you change the key ? I never change the key and have never had > any problems. I think that changing the key manually should only be an > act of last desperation. > > > So we did not change any UID oder GID. > > And even if, as I did read the above thread correct, a UID and GID > > in > > range for any user should be enough to work, but it does > not for any > > user, except the admins. > > And thats strange. > > Very strange and something that has never happened to myself. > > > > > testparm -s shows like smbconf. correct network, smbv2 protocol, > > idmap > > ranges as expected. > > > > Do we need seperate user/group ranges in samba config? > > In what respect ? > You should have two domains configured in smb.conf (unless you are > using the autorid idmap backend). The first is the default or '*' > domain, this is used for the 'Well Known SIDs' and anything > outside the > main domain, this only needs to be small, 2000 IDs are more than > enough. The second domain (which uses the workgroup name to identify > it) is for the users stored in AD. You will have to add the RFC2307 > attributes if you use the 'ad' idmap backend. Whichever backend you > use, you need to set a range for it in smb.conf. This range must cover > all users in AD that you want to be mapped to Unix users, 'rid' and > 'autorid' calculate the Unix ID from the RID, any Unix IDs that are > outside the range set in smb.conf will be ignored. The same goes for > the 'ad' backen, but in this case, any uidNumber or gidNumber > attributes that are outside the range will be ignored, but > Domain Users > must have a gidNumber set and be inside the range, or all > users will be > ignored. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Am 03.03.2022 um 13:31 schrieb Rowland Penny via samba:> On Thu, 2022-03-03 at 12:05 +0100, Lars Schimmer via samba wrote: >>>>> >>> Have you actually looked in AD, does Domain Users have a gidNumber >>> attribute ? Do your users have the primaryGroupID attribute set to >>> '513' ? Do the relevant users have a uidNumber attribute ? >> >> Why 513? > > Because that is the RID for Domain Users and all AD users are members > of Domain Users because of it, even though they are never shown as a > member anywhere in AD. > >> The Doamin Users Group does have a seperate gid and thats the >> primary >> group for all users, which all users do have set as gid. > > There is absolutely no reason to do that, because of what I explained > above, all AD users are members of Domain Users without a gidNumber > attribute.Hm, ok. Another point to take and check.>>> The fact that the 'rid' idmap backend works, shows that Samba is >>> working. When you change to the 'ad' backend and it doesn't work, >>> usually means that there is something wrong with the uidNumber & >>> gidNumber attributes in AD. >>> Try running 'testparm -s', this may show errors. >> >> Yeah, thats the strange part.It did work with the AD config until we >> did >> clean up (remove accounts), disable SMBv1 and chanbge KrbTGTKLey. > > Why did you change the key ? I never change the key and have never had > any problems. I think that changing the key manually should only be an > act of last desperation.Becuase it was described as absolute good practise for security to protect against golden ticket attacks and others in the AD. And it worked well on the (newer) Domain.>> So we did not change any UID oder GID. >> And even if, as I did read the above thread correct, a UID and GID >> in >> range for any user should be enough to work, but it does not for any >> user, except the admins. >> And thats strange. > > Very strange and something that has never happened to myself.Yeah.>> testparm -s shows like smbconf. correct network, smbv2 protocol, >> idmap >> ranges as expected. >> >> Do we need seperate user/group ranges in samba config? > > In what respect ? > You should have two domains configured in smb.conf (unless you are > using the autorid idmap backend). The first is the default or '*' > domain, this is used for the 'Well Known SIDs' and anything outside the > main domain, this only needs to be small, 2000 IDs are more than > enough. The second domain (which uses the workgroup name to identify > it) is for the users stored in AD. You will have to add the RFC2307 > attributes if you use the 'ad' idmap backend. Whichever backend you > use, you need to set a range for it in smb.conf. This range must cover > all users in AD that you want to be mapped to Unix users, 'rid' and > 'autorid' calculate the Unix ID from the RID, any Unix IDs that are > outside the range set in smb.conf will be ignored. The same goes for > the 'ad' backen, but in this case, any uidNumber or gidNumber > attributes that are outside the range will be ignored, but Domain Users > must have a gidNumber set and be inside the range, or all users will be > ignored.Ok, thats what I guessed, but thats not how it works here now. Thanks for the clarification.> Rowland > > >MfG, Lars Schimmer -- ------------------------------------------------------------- TU Graz, Institut f?r ComputerGraphik & WissensVisualisierung Tel: +43 316 873-5405 E-Mail: l.schimmer at cgv.tugraz.at Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723