samba - Feb 2015 - Winbind backend : rid is too much underappreciated

> >
> > 	idmap config * :backend = tdb
> > 	idmap config * :range = 10000-99999
> > 	idmap config DOMAIN : backend = rid
> > 	idmap config DOMAIN : range = 100000-199999
> >
> 
> Taking your example 'idmap config DOMAIN : range = 100000-199999'
it is
> very easy, you just need users whose RIDs are larger than 200000, these 
> users will be ignored.
> 
> Something similar was problem wrong with the 'ad' backend when you
tried
> it, failing that it was probably a lack of 'uidNumber' &
'gidNumber' in
AD.
> 

Nope! I had 'uidNumber' & 'gidNumber' in AD.

Well, maybe I should explain everything in a orderly way, which, being too 
tired, I hadn't the patience to do the other day.


I had a AD DC running Samba 4.1.x for some time, doubling as a file server. 
Yes, I know it is not the recommended way, but sometimes real life leads 
us into particular situations. (It was a long-thought decision, but it 
would be boring to go through the details here.)

Then, two days ago I finally got another server and I wanted to join it to 
the domain as a member server. All went smoothly from that point of view. 
I then went to ADUC (Active Directory Users and Computers) and started to 
fill the 'UNIX Attributes' tab with 'uidNumber' &
'gidNumber'. I started
with the Administrator account, accepting the proposed uid 10000 and so 
on. Then, bang, I couldn't connect with my user profile when logging in 
to the domain from the same Windows machine I always used.

I had previously noticed that getent on the AD DC gave me ids in a range 
starting with 3000000, and I thought that this could be the reason why 
the Administrator account had lost access to essential folders on the 
server, since the default range and the range entered with ADUC didn't 
match. I then tried to give some users the same id in the 3000000 range 
reported by getent on the DC, except for Administrator, to which I gave 
id 0, as again reported by getent on the DC. Now, I could see all the 
users from the member server, except for Administrator and except again 
for 'getent group' unless I specified the group. I must add that
'wbinfo
-u/-g'  always showed me all users and groups, including Administrator.


(Yes, I have 'passwd: files winbind' 'and group: files winbind'
in
/etc/nsswitch.conf. And yes I changed the idmap config range to 
3000000-4000000 in smb.conf for the experience I just described)


I tried to set permissions on a share from Windows, to which the reply was 
that I (Administrator) did not have the permissions to set or even view 
permissions. And yes, I had granted all the necessary rights to 
Administrator and Domain Admins.

After a lot of trials including username mapping and so on, I decided to 
try the rid backend, which worked immediately. 


I am probably commiting some basic mistake that is ridiculous from the 
developers' point of view. I am not a developer and my knowledge of the 
inner workings of Samba is limited, although I have been using it 
successfully for more than 10 years with file servers and NT4-style 
domain controllers. I just feel that simply following the instructions on 
the Wiki is not enough to painlessly configure a member server.

Maybe some unfortunate decisions have been made through the development of 
the Samba AD DC regarding winbind and id mapping that led to confusing 
users. Please note that I am not bitching or even complaining. I admire 
the work of the Samba team and I grateful for it. But maybe real life and 
real problems led to some decisions that were not the easiest for users.


Than you for you patience

--------

As an aside, username mapping does not seem to be working in the usual way, 
as described in the man page. If I entered more than one name after the 
'=' sign, mapping stopped working. For example:

'root = Administrator' did map root to administrator, getent showed me 
Administrator

'root = Administrator admin' did not work, getent ceased to show 
Administrator

The use of !root as described in the manual also caused getent not to show 
Administrator

I must add that I am using the Sernet Samba 4.1.16 pakages on both servers, 
CentOS 7 on the AD DC and CentOS 6.6 on the member server.

On 22/02/15 22:27, Miguel Medalha wrote
>
> Nope! I had 'uidNumber' & 'gidNumber' in AD.
>
> Well, maybe I should explain everything in a orderly way, which, being too
> tired, I hadn't the patience to do the other day.
>
>
> I had a AD DC running Samba 4.1.x for some time, doubling as a file server.
> Yes, I know it is not the recommended way, but sometimes real life leads
> us into particular situations. (It was a long-thought decision, but it
> would be boring to go through the details here.)
OK, I understand, even though it is not recommended, sometimes you just 
have to do it :-)
>
> Then, two days ago I finally got another server and I wanted to join it to
> the domain as a member server. All went smoothly from that point of view.
> I then went to ADUC (Active Directory Users and Computers) and started to
> fill the 'UNIX Attributes' tab with 'uidNumber' &
'gidNumber'. I started
> with the Administrator account, accepting the proposed uid 10000 and so
> on. Then, bang, I couldn't connect with my user profile when logging in
> to the domain from the same Windows machine I always used.
By default, Administrator is given the 'xidNumber' 0 which is also the 
id for the Unix user 'root', by changing this you made
'Administrator' a
normal Unix user with all the permissions (or rather lack of) this 
entails. You probably needed to update the 'security' tab on the 
profiles share.
>
> I had previously noticed that getent on the AD DC gave me ids in a range
> starting with 3000000, and I thought that this could be the reason why
> the Administrator account had lost access to essential folders on the
> server, since the default range and the range entered with ADUC didn't
> match. I then tried to give some users the same id in the 3000000 range
> reported by getent on the DC, except for Administrator, to which I gave
> id 0, as again reported by getent on the DC. Now, I could see all the
> users from the member server, except for Administrator and except again
> for 'getent group' unless I specified the group. I must add that
'wbinfo
> -u/-g'  always showed me all users and groups, including Administrator.
wbinfo works directly on AD, getent goes via Unix. When you give the 
Administrator user the id 0, getent will only return the first user it 
finds, if you want the info for Administrator to be returned, change the 
passwd line in /etc/nsswitch.conf to 'passwd    winbind compat' (note, 
this on debian, 'compat' may be 'files' on your distro)

NOTE: once you have finished testing, please put the line in 
/etc/nsswitch.conf back to what it was, or you will not have a root user:-D
>
>
> (Yes, I have 'passwd: files winbind' 'and group: files
winbind' in
> /etc/nsswitch.conf. And yes I changed the idmap config range to
> 3000000-4000000 in smb.conf for the experience I just described)
If, as you say, your users have a 'uidNumber' in the
'3000000-4000000'
range *and* Domain Users has a 'gidNumber' in the same range, it should 
have worked.
>
>
> I tried to set permissions on a share from Windows, to which the reply was
> that I (Administrator) did not have the permissions to set or even view
> permissions. And yes, I had granted all the necessary rights to
> Administrator and Domain Admins.
This was possibly caused by a misunderstanding, Administrator on the DC 
is mapped to 'root' so has all the permissions of 'root' i.e. it
can do
anything. On a member server it is different, you have to explicitly map 
root yourself.
>
> After a lot of trials including username mapping and so on, I decided to
> try the rid backend, which worked immediately.
Yes, it is a lot easier, but only if you do not require to set home dirs 
& shells per user.
>
>
> I am probably commiting some basic mistake that is ridiculous from the
> developers' point of view. I am not a developer and my knowledge of the
> inner workings of Samba is limited, although I have been using it
> successfully for more than 10 years with file servers and NT4-style
> domain controllers. I just feel that simply following the instructions on
> the Wiki is not enough to painlessly configure a member server.
I am not a developer either but I do have permission to change the wiki 
, so if you struggled with the wiki, is there any chance you could tell 
us what you feel is wrong or missing from the member-server page, unless 
we get feedback we do not really know that it needs to be updated.
>
> Maybe some unfortunate decisions have been made through the development of
> the Samba AD DC regarding winbind and id mapping that led to confusing
> users. Please note that I am not bitching or even complaining. I admire
> the work of the Samba team and I grateful for it. But maybe real life and
> real problems led to some decisions that were not the easiest for users.
>
>
> Than you for you patience
>
> --------
>
> As an aside, username mapping does not seem to be working in the usual way,
> as described in the man page. If I entered more than one name after the
> '=' sign, mapping stopped working. For example:
>
> 'root = Administrator' did map root to administrator, getent showed
me
> Administrator
>
> 'root = Administrator admin' did not work, getent ceased to show
> Administrator
>
> The use of !root as described in the manual also caused getent not to show
> Administrator
All I can say here is that it works for me.

Rowland

didnt we have the problem with backend to RID,
that the user ID wasnt always the same on different member servers.
and to keep that in line you had to copy the idmap.db to the other server? 

Or am i mixing up other things now. 

Best regards, 

Louis

On 24/02/15 10:50, L.P.H. van Belle wrote:
> didnt we have the problem with backend to RID,
> that the user ID wasnt always the same on different member servers.
> and to keep that in line you had to copy the idmap.db to the other server?
>
> Or am i mixing up other things now.
>
> Best regards,
>
> Louis
>
Yes, you are mixing things up now :-D

idmap.ldb is only found on DCs and hands out different numbers on each 
DC, hence copying the idmap.ldb from the first DC to any subsequent DC.

Rowland

ah, ok, yes that was it..  ;-)  

so for my understanding. 

we use AD backend if we also want to use the RFC2307 extention (with winbind and
schema_mode rfc2307)
and we can use RID if we want the windows user id with winbind.

and for RID we can use the server templete settings 
and for AD can can set this per user seen the the Unix Attibutes tab in the
windows tool

correct?  (I still done understand the main difference between AD and RID.) 

i just did read both man's but that does not make it more clear for me.


Greetz, 

Louis

>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: dinsdag 24 februari 2015 12:14
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Winbind backend : rid is too much 
>underappreciated
>
>On 24/02/15 10:50, L.P.H. van Belle wrote:
>> didnt we have the problem with backend to RID,
>> that the user ID wasnt always the same on different member servers.
>> and to keep that in line you had to copy the idmap.db to the 
>other server?
>>
>> Or am i mixing up other things now.
>>
>> Best regards,
>>
>> Louis
>>
>
>Yes, you are mixing things up now :-D
>
>idmap.ldb is only found on DCs and hands out different numbers on each 
>DC, hence copying the idmap.ldb from the first DC to any subsequent DC.
>
>Rowland
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

> didnt we have the problem with backend to RID,
> that the user ID wasnt always the same on different member servers.
As long as the id ranges and base rid on each member servers' smb.  
conf are kept the same, that cannot happen. The mapping from SIDs is  
deterministic.