samba - Jan 2025 - odd UID behaviour in Linux hosts connected to Samba AD

It took me a few hours to put these together, hopefully is useful to you:

http://samba.bigbird.es/doku.php?id=samba:idmap-backends

http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307

http://samba.bigbird.es/doku.php?id=samba:more-idmapping-notes

On 16 Jan 2025 at 14:45 +0000, Rowland Penny via samba <samba at
lists.samba.org>, wrote:
> On Thu, 16 Jan 2025 14:16:45 +0100 (CET)
> vincent at cojot.name wrote:
>
> >
> > Hi Rowland,
> >
> > Thank you very much for the quick answer.
> >
> > > > Right after booting a fileserver, I can 'id' a local
user just fine
> > > > and it's properly showing the local Linux groups:
> > >
> > > Please define 'local user', if it is a user that is in
/etc/passwd
> > > AND in AD, you are doing it wrong.
> >
> > Yes, I have those local users both in /etc/passwd and AD (in case AD
> > is down). I had no idea it would be wrong.
> >
> > > > # grep winbind /etc/nsswitch.conf
> > > > passwd: db files winbind systemd
> > > > group: db files winbind systemd
> > >
> > > Hmm, what is the 'db' ?
> >
> > It's auto-constructed from NSS information. I thought it was
pretty
> > common usage. Rmoving it does not make a difference, btw.. db is
> > supposed to provide faster lokups, even locally.
> >
> > > > winbind nss info = rfc2307
> > >
> > > That line is no longer required.
> >
> > Ok, thank you, will get rid of it.
> >
> > > > min domain uid = 1000
> > > > idmap config * : backend = tdb
> > > > idmap config * : range = 2000000-2999999
> > >
> > > I wish redhat would stop telling people to put the default domain
> > > above the main domain and 999999 IDs is a bit much for the
default
> > > domain, something that is meant for the Well Known SIDs (there
are
> > > less than 200 of those) and anything outside the main domain (so
> > > really '0').
> >
> > I do no think it was a Red Hat thing.. It was probably me searching
> > the internet for answers. Do you think I should get rid of the
> > 'idmap config * ..' lines completely? Do you have a suggestion
there?
> > I'm happy to drop the ranges to something much more narrow.
> >
> > > I take it you have added rfc2307 attributes to AD.
> >
> > I did, yes, back when I created this two-VM Samba AD/DC setup (4.8.z
> > times, I think)
> >
> > > Thing is, you shouldn't have local users and AD users with
the same
> > > name.
> >
> > They don't only share the name, the also shared the UID and GUI
> > (through rfc2307 attributes ).
> >
> > > > the UID and GID in AD are coming from uidNumber and
gidNumber
> > > > which I have configured to match those of the local user.
> > >
> > > Yes, it really sounds like you are doing it wrong.
> >
> > I understand that now from what you said.. so doing it right is using
> > only local users or AD and keeping both separate? then if AD is down
> > or DNS is down, nobody can login, right? (unless the offline logins
> > work).
> >
> > > Let me give you an example on my domain:
> > >
> > > rowland at devstation:~$ grep 'rowland' /etc/passwd
> > > rowland at devstation:~$
> > >
> > > I am not in /etc/passwd, I am not a 'local user', so why
does this
> > > work:
> > >
> > > rowland at devstation:~$ id rowland
> > > uid=11104(rowland) gid=10513(domain users) groups=10513(domain
> > > users),102(netdev),1001(unixtest),11104(rowland),10512(domain
> > > admins),12605(testgroup),10571(allowed rodc password replication
> > > group),10572(denied rodc password replication
> > > group),2001(BUILTIN\users),2000(BUILTIN\administrators)
> > >
> > > It works because (using idmap_rid) winbind makes me a Unix user.
> >
> > Oh, I see. But 'rid' is Random ID, right? so the UID of the AD
user
> > on the Linux system can not be predicted, only determined after the
> > fact, right? and then it properly functions with /etc/group, right?
> >
> > > You can add AD users to local Unix groups, but a better way would
> > > be to create groups in AD instead (not system groups, the ones
with
> > > an ID less than 1000)
> >
> > Do you mean actual AD groups? can AD groups had a gidNumber in
> > rfc2307 attributes for mapping to a pre-defined UNIX group? I'm
not
> > super familiar with AD groups... Can samba-tool be used to create
> > them as well?
> >
> > > > Am I doing something totally wrong here?
> > >
> > > It sounds like it.
> >
> > I thought so, thanks for confirming.
> >
> > > Do you really need the rfc2307 attributes ?
> > > Samba can map AD users to Unix IDs without them and Windows never
> > > uses them.
> >
> > so that would be the 'rid' backend, right?
> >
> > Thank you for this detailed reply, much appreciated. AD is one of the
> > areas that I never fully researched properly and was just happy to be
> > a freeloader..
> >
> > Vincent
>
> Try reading these:
>
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba
>
> https://wiki.samba.org/index.php/Idmap_config_rid
>
> You need to configure the default domain '*' and your AD domain as
> shown on the 'Idmap_config_rid' wiki page. 'rid' does not
mean 'Random
> ID', it is a way of mapping the accounts Windows RID (which is always
> unique in the domain) to a Unix ID, it does this by calculating the ID
> with this formula:
>
> ID = RID - BASE_RID + LOW_RANGE_ID
>
> The 'BASE_RID' defaults to '0' unless it set differently in
the
> smb.conf file.
>
> The 'LOW_RANGE_ID' is what you set in the smb.conf file, so from
the
> wiki example above, it could be '10000'
>
> This means that the formula, with a user with the RID '1104', could
be
> written like this:
>
> ID = 1104 + 10000
>
> Or
>
> ID = 11104
>
> Provided you use the same 'idmap config' lines on all Unix domain
> members, you will always get the same ID for users and groups. The only
> place you cannot use the 'idmap config' lines is on a DC.
>
> The other thing you need to do, forget most of what you know. The main
> reason for AD is a single of point of maintenance (even if there are
> multiple DCs, they all hold the same information), you create users &
> groups in one place (the DCs) and never directly on the Unix domain
> members, you only create local system users & groups (the ones with an
> ID less than 1000) on the Unix computer.
>
> You are probably thinking 'but what about ?', so please ask
> about anything that you have doubts about, I would rather answer such
> questions now instead of trying to help you fix things later :-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

On Thu, 16 Jan 2025 16:13:40 +0000
Luis Peromarta via samba <samba at lists.samba.org> wrote:
> It took me a few hours to put these together, hopefully is useful to
> you:
> 
> http://samba.bigbird.es/doku.php?id=samba:idmap-backends
> 
> http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307
> 
> http://samba.bigbird.es/doku.php?id=samba:more-idmapping-notes
> 

Those are very good, I might have worded some of the first one a bit
differently, people have been known to miss-class connecting to a share
as logging in, for instance.

You also have this in the second one:

You need users to log in (ssh) to the DC with different home folders or
shells.

There is no way to give users logging into a DC different shells or
home directory paths, not even if you use the rfc2307 attributes. A DC
only reads uidNumber & gidNumber attributes from AD.

You also do not mention that if you join an additional DC, it doesn't
get 'idmap_ldb:use rfc2307 = yes' in its smb.conf, not even if the other
DC(s) have it, you have to manually add it.

Rowland