Rowland Penny
2021-Oct-28 15:20 UTC
[Samba] Security token SIDs does not contain the right SID for users in username map
On Thu, 2021-10-28 at 11:55 -0300, tizo wrote:> > > > No, that is, in my opinion, totally wrong, you cannot use 'tdb' for > > the > > 'DOMAIN' backend, you need to use the 'rid', 'autorid' or 'ad' > > backend. > > You also do not map the users in the user.map, you just make the AD > > users into Unix users by using using the correct winbind backend. > > > > > Rowland, thanks for your quick response. Then I guess that for our > case, we should use the 'ad' backend, as of the three you mention is > the only one capable of mapping to specific UIDs, right?.This all depends, is there an AD DC anywhere in your setup ? Or are you just getting authentication from freeipa ? As far as I am aware, freeipa only does authentication, which is okay, because Samba also only wants you to use a Samba AD DC for authentication. However freeipa is never likely to give you what an AD DC will. If you use the winbind 'rid' or 'autorid' backends, the Unix ID will be calculated from the RID taken from the SID (does freeipa have SIDs ?) and if you use the same 'global' part of the smb.conf on all Samba machines, then you will always get the same ID's without adding anything to AD. If you use the 'ad' backend, then you need to add RFC2307 attributes to AD and these will be used on all Samba machines. NOTE: AD above could be freeipa. At the moment you are using the 'tdb' backend and this is an allocating backend, that is, when a user or group contacts the Samba server, it gets allocated the next available ID, this means you will get different ID's on different machines and even worse, if the Samba database on the machine gets corrupted, the users and groups are likely to get different ID's. I do not use freeipa, so know little about it, so a bit of investigation may be worth doing. As far as I am aware, freeipa is really ldap on steroids, just not as far as Samba AD. Rowland
tizo
2021-Oct-28 16:25 UTC
[Samba] Security token SIDs does not contain the right SID for users in username map
> This all depends, is there an AD DC anywhere in your setup ? Or are you > just getting authentication from freeipa ? > > As far as I am aware, freeipa only does authentication, which is okay, > because Samba also only wants you to use a Samba AD DC for > authentication. However freeipa is never likely to give you what an AD > DC will. > > If you use the winbind 'rid' or 'autorid' backends, the Unix ID will be > calculated from the RID taken from the SID (does freeipa have SIDs ?) > and if you use the same 'global' part of the smb.conf on all Samba > machines, then you will always get the same ID's without adding > anything to AD. > > If you use the 'ad' backend, then you need to add RFC2307 attributes to > AD and these will be used on all Samba machines. > > NOTE: AD above could be freeipa. > > At the moment you are using the 'tdb' backend and this is an allocating > backend, that is, when a user or group contacts the Samba server, it > gets allocated the next available ID, this means you will get different > ID's on different machines and even worse, if the Samba database on the > machine gets corrupted, the users and groups are likely to get > different ID's. > > I do not use freeipa, so know little about it, so a bit of > investigation may be worth doing. As far as I am aware, freeipa is > really ldap on steroids, just not as far as Samba AD. > > Rowland > >In our scenario there is an AD DC (Windows Server 2012 R2), and an independent FreeIPA. The first is used for Windows computer users, and the second for Ubuntu computer users. Users exist on both systems, and should be mapped in the file server (Samba). We don't have (we will, but not yet) a Samba AD at this time, and it is not our intention to have one right now. As for the above, and your information, we should use the 'ad' idmap backend and not use "username map". In other order, we know how 'tdb' works, and we know that static mappings can be done too (aside from the automatic allocation), with "net idmap restore" for example. In fact, in our actual solution (with Samba 3.6.23), we are using it with the static mappings, and all is working right. As for that, at first we thought of using the same method and mapping (the transition should be much easier). So our question is, why is it not working with the actual version. More precisely, why the AD SID of a user that is in the username map is not in his security token SIDs (the problem does not exist if the username is the same on both systems, so he doesn't have a line in the username map).