samba - Aug 2015 - Question about samba 4 member server of a pure Windows AD

Hi,

A account created with samba3/ldap (created before 2014-02-20): 

SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3216
UidNumber : 1108

A account created with Users and computers (samba 4 AD DC)

SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-5878
uidNumber : 10023


My actual config (in file-server) : 
idmap config XXXXXX:backend = ad 
idmap config XXXXXX:schema_mode = rfc2307
idmap config XXXXXX:range = 1005-40000

If I apply RID backend : 

ID = RID - BASE_RID + LOW_RANGE_ID.

For the first account : 
3216 - 0 + 1005 = 4221 => bad must be 1108

For the latest created account : 
5878 - 0 + 1005 = 6883 => bad must be 10023

if generated uidNumber not the same that actual uidNumber, I will lose my 
ACL.

regards

        Stéphane Purnelle




De :    Rowland Penny <rowlandpenny241155 at gmail.com>
A :     samba at lists.samba.org, 
Date :  02/08/2015 20:27
Objet : Re: [Samba] Question about samba 4 member server of a pure Windows 
AD
Envoyé par :    "samba" <samba-bounces at lists.samba.org>



On 02/08/15 17:31, Stéphane PURNELLE wrote:
> Hi,
>
> I don't think that rid backend will work, because when we start samba
> (samab 2.2.8a) lower uid was 1000, but when we moved to samba 4, power 
uid
> was put to 10000.
> That's mean new user and group use uidNUmber or groupNUmber > 10000.
But
> we have old account and group with uid or gid < 10000
>
>
> regards
>
>          Stéphane Purnelle
>
>
> "samba" <samba-bounces at lists.samba.org> a écrit sur
31/07/2015 22:42:23
:
>
>> De : Rowland Penny <rowlandpenny241155 at gmail.com>
>> A : samba at lists.samba.org,
>> Date : 31/07/2015 22:51
>> Objet : Re: [Samba] Question about samba 4 member server of a pure
> Windows AD
>> Envoyé par : "samba" <samba-bounces at lists.samba.org>
>>
>> On 31/07/15 20:43, Stéphane PURNELLE wrote:
>>> Hi,
>>>
>>> Actually, we have a samba 4 AD DC and 2 samba 4 AD member server as
>>> file-server.
>>> But my company is member of a group who have i proper AD (A windows
AD
>>> server)
>>>
>>> I don't know if the windows AD has implemented rfc2307 and if
the
> sysadmin
>>> of the windows AD can add rfc2307.
>>>
>>> I just would like to know if there are alternative for have uid
<> sid
>>> mapping without rfc2307.
>>> LIke extract uid from windows SID (based on algorithm uid = uid*2 +
> 1000
>>> or something like this)
>>>
>>> thank you for your help
>>>
>>>           Stéphane Purnelle
>> Yes, it is called the 'rid' backend, see 'man
idmap_rid'
>>
>> Rowland
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
If you use the rid backend, any uidNumbers & gidNumbers in AD are 
ignored, the users UID will be calculated from this: ID = RID - BASE_RID 
+ LOW_RANGE_ID

So if you have two users with the RIDs of 9999 & 10001, their UIDs would 
be this (note BASE_RID is 0 unless set in smb.conf), LOW_RANGE_ID would 
be set to 3000

UID = 9999 - 0 + 3000
Which would become: UID = 12999

UID = 10001 - 0 + 3000
Which would become: UID = 13001

These are just a couple of examples, from which I hope you can see, 
provide you set the LOW_RANGE_ID lower than your lowest RID, it should 
work, of course you will probably have to set the builtin range way 
above your workgroup range.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 03/08/15 08:43, Stéphane PURNELLE wrote:
> Hi,
>
> A account created with samba3/ldap (created before 2014-02-20):
>
> SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3216
> UidNumber : 1108
>
> A account created with Users and computers (samba 4 AD DC)
>
> SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-5878
> uidNumber : 10023
>
>
> My actual config (in file-server) :
> idmap config XXXXXX:backend = ad
> idmap config XXXXXX:schema_mode = rfc2307
> idmap config XXXXXX:range = 1005-40000
>
> If I apply RID backend :
>
> ID = RID - BASE_RID + LOW_RANGE_ID.
>
> For the first account :
> 3216 - 0 + 1005 = 4221 => bad must be 1108
>
> For the latest created account :
> 5878 - 0 + 1005 = 6883 => bad must be 10023
>
> if generated uidNumber not the same that actual uidNumber, I will lose my
> ACL.
>
> regards
>
>          Stéphane Purnelle
>
>
>
>
> De :    Rowland Penny <rowlandpenny241155 at gmail.com>
> A :     samba at lists.samba.org,
> Date :  02/08/2015 20:27
> Objet : Re: [Samba] Question about samba 4 member server of a pure Windows
> AD
> Envoyé par :    "samba" <samba-bounces at lists.samba.org>
>
>
>
> On 02/08/15 17:31, Stéphane PURNELLE wrote:
>> Hi,
>>
>> I don't think that rid backend will work, because when we start
samba
>> (samab 2.2.8a) lower uid was 1000, but when we moved to samba 4, power
> uid
>> was put to 10000.
>> That's mean new user and group use uidNUmber or groupNUmber >
10000. But
>> we have old account and group with uid or gid < 10000
>>
>>
>> regards
>>
>>           Stéphane Purnelle
>>
>>
>> "samba" <samba-bounces at lists.samba.org> a écrit sur
31/07/2015 22:42:23
> :
>>> De : Rowland Penny <rowlandpenny241155 at gmail.com>
>>> A : samba at lists.samba.org,
>>> Date : 31/07/2015 22:51
>>> Objet : Re: [Samba] Question about samba 4 member server of a pure
>> Windows AD
>>> Envoyé par : "samba" <samba-bounces at
lists.samba.org>
>>>
>>> On 31/07/15 20:43, Stéphane PURNELLE wrote:
>>>> Hi,
>>>>
>>>> Actually, we have a samba 4 AD DC and 2 samba 4 AD member
server as
>>>> file-server.
>>>> But my company is member of a group who have i proper AD (A
windows AD
>>>> server)
>>>>
>>>> I don't know if the windows AD has implemented rfc2307 and
if the
>> sysadmin
>>>> of the windows AD can add rfc2307.
>>>>
>>>> I just would like to know if there are alternative for have uid
<> sid
>>>> mapping without rfc2307.
>>>> LIke extract uid from windows SID (based on algorithm uid =
uid*2 +
>> 1000
>>>> or something like this)
>>>>
>>>> thank you for your help
>>>>
>>>>            Stéphane Purnelle
>>> Yes, it is called the 'rid' backend, see 'man
idmap_rid'
>>>
>>> Rowland
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
> If you use the rid backend, any uidNumbers & gidNumbers in AD are
> ignored, the users UID will be calculated from this: ID = RID - BASE_RID
> + LOW_RANGE_ID
>
> So if you have two users with the RIDs of 9999 & 10001, their UIDs
would
> be this (note BASE_RID is 0 unless set in smb.conf), LOW_RANGE_ID would
> be set to 3000
>
> UID = 9999 - 0 + 3000
> Which would become: UID = 12999
>
> UID = 10001 - 0 + 3000
> Which would become: UID = 13001
>
> These are just a couple of examples, from which I hope you can see,
> provide you set the LOW_RANGE_ID lower than your lowest RID, it should
> work, of course you will probably have to set the builtin range way
> above your workgroup range.
>
> Rowland
>
>
OK, in your first post there is this:

[quote]
I don't know if the windows AD has implemented rfc2307 and if the sysadmin
of the windows AD can add rfc2307.

I just would like to know if there are alternative for have uid <> sid
mapping without rfc2307.
[/quote]

Now you are saying, 'I must use the ad backend, even if it might not 
have been set up in AD'.

Sorry but you cannot have it both ways, you either make your AD admins 
install IDMU and give your users & groups uidNumbers & gidNumbers, or 
you use the rid backend and set up the ACLs accordingly.

Rowland

Hi,

That's the answer that I wanted to read.

Thank you

        Stéphane Purnelle

"samba" <samba-bounces at lists.samba.org> a écrit sur
03/08/2015 10:01:39 :
> De : Rowland Penny <rowlandpenny241155 at gmail.com>
> A : samba at lists.samba.org, 
> Date : 03/08/2015 10:10
> Objet : Re: [Samba] Question about samba 4 member server of a pure 
Windows AD
> Envoyé par : "samba" <samba-bounces at lists.samba.org>
> 
> On 03/08/15 08:43, Stéphane PURNELLE wrote:
> > Hi,
> >
> > A account created with samba3/ldap (created before 2014-02-20):
> >
> > SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3216
> > UidNumber : 1108
> >
> > A account created with Users and computers (samba 4 AD DC)
> >
> > SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-5878
> > uidNumber : 10023
> >
> >
> > My actual config (in file-server) :
> > idmap config XXXXXX:backend = ad
> > idmap config XXXXXX:schema_mode = rfc2307
> > idmap config XXXXXX:range = 1005-40000
> >
> > If I apply RID backend :
> >
> > ID = RID - BASE_RID + LOW_RANGE_ID.
> >
> > For the first account :
> > 3216 - 0 + 1005 = 4221 => bad must be 1108
> >
> > For the latest created account :
> > 5878 - 0 + 1005 = 6883 => bad must be 10023
> >
> > if generated uidNumber not the same that actual uidNumber, I will lose
my
> > ACL.
> >
> > regards
> >
> >          Stéphane Purnelle
> >
> >
> >
> >
> > De :    Rowland Penny <rowlandpenny241155 at gmail.com>
> > A :     samba at lists.samba.org,
> > Date :  02/08/2015 20:27
> > Objet : Re: [Samba] Question about samba 4 member server of a pure 
Windows
> > AD
> > Envoyé par :    "samba" <samba-bounces at
lists.samba.org>
> >
> >
> >
> > On 02/08/15 17:31, Stéphane PURNELLE wrote:
> >> Hi,
> >>
> >> I don't think that rid backend will work, because when we
start samba
> >> (samab 2.2.8a) lower uid was 1000, but when we moved to samba 4, 
power
> > uid
> >> was put to 10000.
> >> That's mean new user and group use uidNUmber or groupNUmber
> 10000.
But
> >> we have old account and group with uid or gid < 10000
> >>
> >>
> >> regards
> >>
> >>           Stéphane Purnelle
> >>
> >>
> >> "samba" <samba-bounces at lists.samba.org> a écrit
sur 31/07/2015
22:42:23
> > :
> >>> De : Rowland Penny <rowlandpenny241155 at gmail.com>
> >>> A : samba at lists.samba.org,
> >>> Date : 31/07/2015 22:51
> >>> Objet : Re: [Samba] Question about samba 4 member server of a
pure
> >> Windows AD
> >>> Envoyé par : "samba" <samba-bounces at
lists.samba.org>
> >>>
> >>> On 31/07/15 20:43, Stéphane PURNELLE wrote:
> >>>> Hi,
> >>>>
> >>>> Actually, we have a samba 4 AD DC and 2 samba 4 AD member
server as
> >>>> file-server.
> >>>> But my company is member of a group who have i proper AD
(A windows
AD
> >>>> server)
> >>>>
> >>>> I don't know if the windows AD has implemented rfc2307
and if the
> >> sysadmin
> >>>> of the windows AD can add rfc2307.
> >>>>
> >>>> I just would like to know if there are alternative for
have uid <>
sid
> >>>> mapping without rfc2307.
> >>>> LIke extract uid from windows SID (based on algorithm uid
= uid*2 +
> >> 1000
> >>>> or something like this)
> >>>>
> >>>> thank you for your help
> >>>>
> >>>>            Stéphane Purnelle
> >>> Yes, it is called the 'rid' backend, see 'man
idmap_rid'
> >>>
> >>> Rowland
> >>>
> >>>
> >>> -- 
> >>> To unsubscribe from this list go to the following URL and read
the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> > If you use the rid backend, any uidNumbers & gidNumbers in AD are
> > ignored, the users UID will be calculated from this: ID = RID - 
BASE_RID
> > + LOW_RANGE_ID
> >
> > So if you have two users with the RIDs of 9999 & 10001, their UIDs
would
> > be this (note BASE_RID is 0 unless set in smb.conf), LOW_RANGE_ID 
would
> > be set to 3000
> >
> > UID = 9999 - 0 + 3000
> > Which would become: UID = 12999
> >
> > UID = 10001 - 0 + 3000
> > Which would become: UID = 13001
> >
> > These are just a couple of examples, from which I hope you can see,
> > provide you set the LOW_RANGE_ID lower than your lowest RID, it should
> > work, of course you will probably have to set the builtin range way
> > above your workgroup range.
> >
> > Rowland
> >
> >
> 
> OK, in your first post there is this:
> 
> [quote]
> I don't know if the windows AD has implemented rfc2307 and if the 
sysadmin
> of the windows AD can add rfc2307.
> 
> I just would like to know if there are alternative for have uid <>
sid
> mapping without rfc2307.
> [/quote]
> 
> Now you are saying, 'I must use the ad backend, even if it might not 
> have been set up in AD'.
> 
> Sorry but you cannot have it both ways, you either make your AD admins 
> install IDMU and give your users & groups uidNumbers & gidNumbers,
or
> you use the rid backend and set up the ACLs accordingly.
> 
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hi,

What you're trying to do is mixing RID and rfc2307. This is not possible.

I've the same kind of issue here (Samba 3 migrated DC with samba unix 
users created in the same range as regular unix users), but still use 
rfc2307 so I can renumber users one by one as follow :

  * Save old uid (1000-2000 range)
  * Give a new one (10000+ range)
  * Launch a command like (multiple -e are possible) on every unix
    computer having shares
      o find | while read file; do echo getfacl "$file" | sed -e
        "s,user:olduid:,user:newuid:," | setfacl --set-file=-
"$file"; done
  * What for user support ticket escalation :-)

If your Windows AD does not use rf2307, you can switch to rid but then 
you'll have to perform the whole ACL change at once (since rf2307 allows 
me to choose UID I can perform the changes smoothly along time).

Regards


Le 03/08/2015 09:43, Stéphane PURNELLE a écrit :
> Hi,
>
> A account created with samba3/ldap (created before 2014-02-20):
>
> SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3216
> UidNumber : 1108
>
> A account created with Users and computers (samba 4 AD DC)
>
> SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-5878
> uidNumber : 10023
>
>
> My actual config (in file-server) :
> idmap config XXXXXX:backend = ad
> idmap config XXXXXX:schema_mode = rfc2307
> idmap config XXXXXX:range = 1005-40000
>
> If I apply RID backend :
>
> ID = RID - BASE_RID + LOW_RANGE_ID.
>
> For the first account :
> 3216 - 0 + 1005 = 4221 => bad must be 1108
>
> For the latest created account :
> 5878 - 0 + 1005 = 6883 => bad must be 10023
>
> if generated uidNumber not the same that actual uidNumber, I will lose my
> ACL.
>
> regards
>
>          Stéphane Purnelle
>

Hi,

I'm not try.

My actual configuration is rfc2307.  And it work fine.

But if I must replace my AD DC by a other AD DC (not managed by me and not 
use rfc2307), my question was What can I do ?
Rid backend is not a solution, because I have too many ACL to apply on 
files and directory ( > 1Tb of data)

So the answer is : the newer AD DC must use rfc2307.

regards

        Stéphane Purnelle




De :    Sébastien Le Ray <sebastien-samba at orniz.org>
A :     Stéphane PURNELLE <stephane.purnelle at corman.be>, 
samba at lists.samba.org, 
Date :  03/08/2015 10:17
Objet : Re: [Samba] Question about samba 4 member server of a pure Windows 
AD



Hi,

What you're trying to do is mixing RID and rfc2307. This is not possible.

I've the same kind of issue here (Samba 3 migrated DC with samba unix 
users created in the same range as regular unix users), but still use 
rfc2307 so I can renumber users one by one as follow :
Save old uid (1000-2000 range)
Give a new one (10000+ range)
Launch a command like (multiple -e are possible) on every unix computer 
having shares
find | while read file; do echo getfacl "$file" | sed -e 
"s,user:olduid:,user:newuid:," | setfacl --set-file=-
"$file"; done
What for user support ticket escalation :-)
If your Windows AD does not use rf2307, you can switch to rid but then 
you'll have to perform the whole ACL change at once (since rf2307 allows 
me to choose UID I can perform the changes smoothly along time).
Regards

Le 03/08/2015 09:43, Stéphane PURNELLE a écrit :
Hi,

A account created with samba3/ldap (created before 2014-02-20): 

SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3216
UidNumber : 1108

A account created with Users and computers (samba 4 AD DC)

SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-5878
uidNumber : 10023


My actual config (in file-server) : 
idmap config XXXXXX:backend = ad 
idmap config XXXXXX:schema_mode = rfc2307
idmap config XXXXXX:range = 1005-40000

If I apply RID backend : 

ID = RID - BASE_RID + LOW_RANGE_ID.

For the first account : 
3216 - 0 + 1005 = 4221 => bad must be 1108

For the latest created account : 
5878 - 0 + 1005 = 6883 => bad must be 10023

if generated uidNumber not the same that actual uidNumber, I will lose my 
ACL.

regards

        Stéphane Purnelle