samba - Jan 2025 - odd UID behaviour in Linux hosts connected to Samba AD

On Thu, 16 Jan 2025 12:21:42 +0100 (CET)
"Vincent S. Cojot via samba" <samba at lists.samba.org> wrote:
> 
> Hi everyone,
> 
> I've been running into a small issue in the past few days after
> figuring out (or so I thought) how to properly map UIDs from AD to
> Linux clients so that they are identical across environments and work
> on both Linux and Windows boxes. Maybe I am doing something wrong.
> 
> I am wondering if someone could sched some light here.
> 
> My config is this:
> - Two small VMs running Samba 4.20.z in AD mode.
> - Several client endpoints.
> - Several Linux (RHEL) AD clients configured to use winbind and
> acting as fileservers.
> (# authselect select winbind --nobackup -f)
> 
> On one of these fileservers, here is what I am observing:
> 
> Right after booting a fileserver, I can 'id' a local user just fine
> and it's properly showing the local Linux groups:
Please define 'local user', if it is a user that is in /etc/passwd AND
in AD, you are doing it wrong.
> 
> # id raistlin
> uid=1502(raistlin) gid=100(users) 
>
groups=3(sys),7(lp),10(wheel),11(cdrom),39(video),63(audio),100(users),197(system)
> 
> However, if I query the AD user related to that local user, things
> start going a -different- direction afterwards:
> 
> # id -a KRYNN_AD\\raistlin
> uid=1502(KRYNN_AD\raistlin) gid=100(users)
> groups=10001(BUILTIN\users),10000(BUILTIN\administrators),100(users)
> This is coming from the
> 
> but then I the output of the -first- command changes and the extra
> groups are dropped and I can no longer query the local user:
> 
> # id -a raistlin
> uid=1502(KRYNN_AD\raistlin) gid=100(users)
> groups=10001(BUILTIN\users),10000(BUILTIN\administrators),100(users)
> 
> The above fileserver is running RHEL 8.10. The nsswitch configuration 
> looks like this:
> 
> # grep winbind /etc/nsswitch.conf
> passwd:     db files winbind systemd
> group:      db files winbind systemd
Hmm, what is the 'db' ?
> 
> the relevant samba configuration for the domain is this:
> -------
> security = ads
> realm = AD.LASTHOME.SOLACE.KRYNN
> vfs objects = acl_xattr
> [....]
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> template shell = /bin/bash
> template homedir = /export/home/%U
> idmap_ldb:use rfc2307 = yes
The above line is only used on a Samba AD DC.
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
> winbind nss info = rfc2307
That line is no longer required.
> min domain uid = 1000
> idmap config * : backend = tdb
> idmap config * : range = 2000000-2999999
I wish redhat would stop telling people to put the default domain above
the main domain and 999999 IDs is a bit much for the default domain,
something that is meant for the Well Known SIDs (there are less than
200 of those) and anything outside the main domain (so really '0').
> idmap config KRYNN_AD : backend = ad
> idmap config KRYNN_AD : range = 1500-1999999
> idmap config KRYNN_AD : schema_mode = rfc2307
> idmap config KRYNN_AD : unix_nss_info = yes
> idmap config KRYNN_AD : unix_primary_group = yes
I take it you have added rfc2307 attributes to AD.
> 
> While this 'works' as-is, I am a little concerned because of the 
> following:
> 1) Why is the AD user taking precedence in NSS resolution even though 
> winbind is listed later? (nsswitch.conf order shows it should hit the 
> local user first). This also shows up while doing simple things such
> as 'ls -l'.
Thing is, you shouldn't have local users and AD users with the same
name.
> 
> the UID and GID in AD are coming from uidNumber and gidNumber which I
> have configured to match those of the local user.
Yes, it really sounds like you are doing it wrong.
> 
> 2) the extra groups are dropped and it is causing issues to the local 
> users when they login to the Linux workstations.
Let me give you an example on my domain:

rowland at devstation:~$ grep 'rowland' /etc/passwd
rowland at devstation:~$ 

I am not in /etc/passwd, I am not a 'local user', so why does this work:

rowland at devstation:~$ id rowland
uid=11104(rowland) gid=10513(domain users) groups=10513(domain
users),102(netdev),1001(unixtest),11104(rowland),10512(domain
admins),12605(testgroup),10571(allowed rodc password replication
group),10572(denied rodc password replication
group),2001(BUILTIN\users),2000(BUILTIN\administrators)

It works because (using idmap_rid) winbind makes me a Unix user.
> 
> 3) In this situation, is there a way to add the AD user to more
> groups on the Linux systems? Since winbind seems to be taking over,
> is that an attribute I could add in AD to add the missing groups?
You can add AD users to local Unix groups, but a better way would be to
create groups in AD instead (not system groups, the ones with an ID
less than 1000)
> 
> Am I doing something totally wrong here?
It sounds like it.

Do you really need the rfc2307 attributes ?
Samba can map AD users to Unix IDs without them and Windows never uses
them.

Rowland

Hi Rowland,

Thank you very much for the quick answer.
>> Right after booting a fileserver, I can 'id' a local user just
fine
>> and it's properly showing the local Linux groups:
>
> Please define 'local user', if it is a user that is in /etc/passwd
AND
> in AD, you are doing it wrong.
Yes, I have those local users both in /etc/passwd and AD (in case AD is 
down). I had no idea it would be wrong.
>> # grep winbind /etc/nsswitch.conf
>> passwd:     db files winbind systemd
>> group:      db files winbind systemd
>
> Hmm, what is the 'db' ?
It's auto-constructed from NSS information. I thought it was pretty common 
usage. Rmoving it does not make a difference, btw.. db is supposed to 
provide faster lokups, even locally.
>> winbind nss info = rfc2307
>
> That line is no longer required.
Ok, thank you, will get rid of it.
>> min domain uid = 1000
>> idmap config * : backend = tdb
>> idmap config * : range = 2000000-2999999
>
> I wish redhat would stop telling people to put the default domain above
> the main domain and 999999 IDs is a bit much for the default domain,
> something that is meant for the Well Known SIDs (there are less than
> 200 of those) and anything outside the main domain (so really '0').
I do no think it was a Red Hat thing.. It was probably me searching the 
internet for answers. Do you think I should get rid of the
'idmap config * ..' lines completely? Do you have a suggestion there?
I'm
happy to drop the ranges to something much more narrow.
> I take it you have added rfc2307 attributes to AD.
I did, yes, back when I created this two-VM Samba AD/DC setup (4.8.z 
times, I think)
> Thing is, you shouldn't have local users and AD users with the same
> name.
They don't only share the name, the also shared the UID and GUI (through 
rfc2307 attributes ).
>> the UID and GID in AD are coming from uidNumber and gidNumber which I
>> have configured to match those of the local user.
>
> Yes, it really sounds like you are doing it wrong.
I understand that now from what you said.. so doing it right is using only 
local users or AD and keeping both separate? then if AD is down or DNS is 
down, nobody can login, right? (unless the offline logins work).
> Let me give you an example on my domain:
>
> rowland at devstation:~$ grep 'rowland' /etc/passwd
> rowland at devstation:~$
>
> I am not in /etc/passwd, I am not a 'local user', so why does this
work:
>
> rowland at devstation:~$ id rowland
> uid=11104(rowland) gid=10513(domain users) groups=10513(domain
users),102(netdev),1001(unixtest),11104(rowland),10512(domain
admins),12605(testgroup),10571(allowed rodc password replication
group),10572(denied rodc password replication
group),2001(BUILTIN\users),2000(BUILTIN\administrators)
>
> It works because (using idmap_rid) winbind makes me a Unix user.
Oh, I see. But 'rid' is Random ID, right? so the UID of the AD user on 
the Linux system can not be predicted, only determined after the fact, 
right? and then it properly functions with /etc/group, right?
> You can add AD users to local Unix groups, but a better way would be to
> create groups in AD instead (not system groups, the ones with an ID
> less than 1000)
Do you mean actual AD groups? can AD groups had a gidNumber in rfc2307 
attributes for mapping to a pre-defined UNIX group? I'm not super familiar 
with AD groups... Can samba-tool be used to create them as well?
>> Am I doing something totally wrong here?
>
> It sounds like it.
I thought so, thanks for confirming.
> Do you really need the rfc2307 attributes ?
> Samba can map AD users to Unix IDs without them and Windows never uses
> them.
so that would be the 'rid' backend, right?

Thank you for this detailed reply, much appreciated. AD is one of the 
areas that I never fully researched properly and was just happy to be a 
freeloader..

Vincent