On Fri, 27 Feb 2015 00:18:24 +0000 Rowland Penny <rowlandpenny at googlemail.com> wrote:> 34, you are seriously using 34 for a standard user id number ? You > shouldn't use anything below 1000 for a normal user, these low > numbers are reserved for system use and you have run into a problem > that can only be fixed by not using such low numbers. The 3000014 > number is coming from idmap.ldb but the group number is coming > from /etc/group (or whatever it is called on freebsd) > > RowlandRowland- Again wind issues forth with no meaning. Where does your "Wisdom" about no UID below 1000 come from? Back 30 years ago when I started with Unix, and this network was first set up the normal practice was to start regular users at 100, with below 100 being reserved for SYSTEMS STAFF and System Processes. Typically on a stock Sun box running NIS the NIS maps were built starting at 100 and systems staff were below that so that if NIS failed systems staff could still log into a box to fix things. As I recall the UID starting convention for POSIX systems started to creep higher than 100 with the copy-cat called Gnu/Linux. If I recall correctly the first time I saw 501 as a default starting UID was with Debian years ago. Every Mac that rolls off the factory floor is set to start ordinary users at 501 today. Yes many of the various GNU/Linux distributions have adopted 1000 and above for REGULAR USERS, but there is no technical reason for it, and in fact unless, as is the case with NIS, there is a table saying do not put this UID in the map there is no reason that 34 should not happily go into the Samba directory service. I will take a moment to point out in the case of NIS it was, and is possible by changing a single thing in the Makefile used for making the maps to set whatever cutoff UID you wish, and to include random UIDs in the maps as well. I would submit that if Samba can not do this then Samba 4 is broken. What is even more broken is that samba-tool silently accepted 34 as a UID and created the samba user. If UIDs below 1000 are forbidden then a properly written program would have thrown an exception. There are many TB of data on the network. Most of the UIDs are below 1000, in fact most are below 500. Can you provide considered technical reasons that Samba can NO LONGER HANDLE whatever UID the admin wishes to assign? It would seem to me what you said is "You found a bug and the samba core team does not want to fix it", but what do I know I have only been hacking on Unix boxes since about 1982 or 1983. If anyone else on the list has insight into the situation I would appreciate hearing from you. I am too involved in the FreeBSD arm port to devote time to reading the samba sources to find the bug. -Brett -- wynkoop at wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt 917-642-6925 929-272-0000 "The strongest reason for the people to retain the right to keep and bear arms is, as a last resort, to protect themselves against tyranny in government" - Thomas Jefferson.
Hello Brett, On Thu, Feb 26, 2015 at 6:10 PM, Brett Wynkoop <wynkoop+samba at wynn.com> wrote:> > Where does your "Wisdom" about no UID below 1000 come from? >I would guess it comes from distros (mostly the Linux ones) staticly assigning UID and GIDs to certain services to make the package managers job easier. But if your existing system has userids below that number, then you should no problem from that, but is it something to be aware if you add more modern clients.> > I would submit that if Samba can not do this then Samba 4 is broken. > What is even more broken is that samba-tool silently accepted 34 as a > UID and created the samba user. If UIDs below 1000 are forbidden then a > properly written program would have thrown an exception. >Numbers out of a specific range are masked out by idmap. It seems to be 10000-20000 is the default range, presumably to avoid problems of domain users getting access to data owned by system services that they should not be able to. You can change this range though, the member server setup wiki page[1] explains it well enough. I am not aware of an actual code restriction on the ID range, but I am also not a developer. [1] https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#RFC2307 Hope this helps,
On Thu, 26 Feb 2015 19:45:31 -0700 Nigel W <nigel.w at nosun.ca> wrote:> Hello Brett, > > On Thu, Feb 26, 2015 at 6:10 PM, Brett Wynkoop > <wynkoop+samba at wynn.com> wrote: > > > > Where does your "Wisdom" about no UID below 1000 come from? > > > I would guess it comes from distros (mostly the Linux ones) staticly > assigning UID and GIDs to certain services to make the package > managers job easier. >Thank you, that was exactly my point.> But if your existing system has userids below that number, then you > should no problem from that, but is it something to be aware if you > add more modern clients.This is what I was thinking as well.> > > > > I would submit that if Samba can not do this then Samba 4 is broken. > > What is even more broken is that samba-tool silently accepted 34 as > > a UID and created the samba user. If UIDs below 1000 are forbidden > > then a properly written program would have thrown an exception. > > > Numbers out of a specific range are masked out by idmap. It seems to > be 10000-20000 is the default range, presumably to avoid problems of > domain users getting access to data owned by system services that > they should not be able to. You can change this range though, the > member server setup wiki page[1] explains it well enough. I am not > aware of an actual code restriction on the ID range, but I am also > not a developer. > > [1] > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#RFC2307 > > Hope this helps,Thank you for this pointer and confirming what I thought had to be true. I will check it and see what happens. This is the best help on this issue since I first brought it to the group last fall. It is much more useful than "Change all your existing users to have UIDs greater than 1000". There is a real problem in the FreeSoftware world today with people not understanding the hows and whys of things. Your reply is a breath of fresh air. I still contend that samba-tool should not have silently assigned a UID other than what I requested. If the user requests something invalid the proper response for the situation should have to been to given an ABEND (for the youngsters on the list ABEND == Abnormal End) message pointing out the problem. Those who do not learn from history are doomed to repeat it. Thanks again. -Brett -- wynkoop at wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt 917-642-6925 929-272-0000 I would never invade the United States. There would be a gun behind every blade of grass. --Isoroku Yamamoto
On Thu, 26 Feb 2015 19:45:31 -0700 Nigel W <nigel.w at nosun.ca> wrote:> Hello Brett,> [1] > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#RFC2307 > > Hope this helps,Nigel- I think I am still at a loss. after having a look at that page I added idmap uid = 34-1000 to the smb4.conf file. I then deleted user wynkoop, restarted samba and added user wynkoop again. The UID incremented from where it had previously been. Just to make sure I did the whole delete and add again another time. The results of uploading files from smbclient are below: root at prd2:/usr/local/etc # ls -l /archive/test total 5 -rw-r--r-- 1 3000014 wheel 6148 Feb 22 03:37 .DS_Store -rw-r--r-- 1 3000013 wheel 381 Feb 26 22:55 bar -rw-r--r-- 1 3000012 wheel 381 Feb 26 22:45 foo -rw-r--r-- 1 3000011 wheel 381 Feb 26 18:18 profile root at prd2:/usr/local/etc # Do I need to totally wipe out the DB to get it to start at 34? If I do that what good is the option to samba-tool to specify a certain GID? -Brett -- wynkoop at wynn.com http://prd4.wynn.com/wynkoop/pgp-keys.txt 917-642-6925 929-272-0000 I would never invade the United States. There would be a gun behind every blade of grass. --Isoroku Yamamoto
On 27/02/15 01:10, Brett Wynkoop wrote:> On Fri, 27 Feb 2015 00:18:24 +0000 > Rowland Penny <rowlandpenny at googlemail.com> wrote: > > >> 34, you are seriously using 34 for a standard user id number ? You >> shouldn't use anything below 1000 for a normal user, these low >> numbers are reserved for system use and you have run into a problem >> that can only be fixed by not using such low numbers. The 3000014 >> number is coming from idmap.ldb but the group number is coming >> from /etc/group (or whatever it is called on freebsd) >> >> Rowland > Rowland- > > Again wind issues forth with no meaning. > > Where does your "Wisdom" about no UID below 1000 come from? > > Back 30 years ago when I started with Unix, and this network was first > set up the normal practice was to start regular users at 100, with > below 100 being reserved for SYSTEMS STAFF and System Processes. > Typically on a stock Sun box running NIS the NIS maps were built > starting at 100 and systems staff were below that so that if NIS failed > systems staff could still log into a box to fix things. > > As I recall the UID starting convention for POSIX systems started to > creep higher than 100 with the copy-cat called Gnu/Linux. If I recall > correctly the first time I saw 501 as a default starting UID was with > Debian years ago. Every Mac that rolls off the factory floor is set to > start ordinary users at 501 today. Yes many of the various GNU/Linux > distributions have adopted 1000 and above for REGULAR USERS, but there > is no technical reason for it, and in fact unless, as is the case with > NIS, there is a table saying do not put this UID in the map there is no > reason that 34 should not happily go into the Samba directory service. > > I will take a moment to point out in the case of NIS it was, and is > possible by changing a single thing in the Makefile used for making the > maps to set whatever cutoff UID you wish, and to include random UIDs in > the maps as well. > > I would submit that if Samba can not do this then Samba 4 is broken. > What is even more broken is that samba-tool silently accepted 34 as a > UID and created the samba user. If UIDs below 1000 are forbidden then a > properly written program would have thrown an exception. > > There are many TB of data on the network. Most of the UIDs are below > 1000, in fact most are below 500. > > Can you provide considered technical reasons that Samba can NO LONGER > HANDLE whatever UID the admin wishes to assign? > > It would seem to me what you said is "You found a bug and the samba > core team does not want to fix it", but what do I know I have only been > hacking on Unix boxes since about 1982 or 1983. > > If anyone else on the list has insight into the situation I would > appreciate hearing from you. I am too involved in the FreeBSD arm port > to devote time to reading the samba sources to find the bug. > > -Brett > >OK, somebody joins your network with a debian machine (for instance), now you might say this will never happen, but it could. You will now find that if your user '34' logs in, their group is no longer 'wheel' it is 'backup'. That is why it is better to stay away from using id numbers below 1000. You can use whatever id numbers you like, but don't be surprised if and when, using such low numbers, they come back and bite you in the behind. Also, don't think you know everything just because you have been using Unix since 1982, things have changed a lot since then, but it sounds like you haven't. I personally think that you are leaving one hell of a mess for the poor unfortunate that follows on from you, after you retire. Rowland