Brett Randall
2016-Feb-16 09:32 UTC
[Samba] Mapping UIDs on Linux to same UID as AD-bound Mac is mapping to
Hi all I have a Linux machine bound to AD, and a Mac bound to AD. Both have me log in with different UIDs for the same AD user. This makes sense, as AD doesn't have a UNIX-compliant uid/gid attribute. One thing I have found that interests me is this: https://books.google.com.au/books?id=yNILCwAAQBAJ <https://books.google.com.au/books?id=yNILCwAAQBAJ&pg=PA111&lpg=PA111&dq=mac +%22active+directory%22+%22directory+utility%22+mappings+uid&source=bl&ots=s 0fMZSMr8r&sig=uuyWWE-jzlimQ9U49sZ3KRDAXvI&hl=en&sa=X&ved=0ahUKEwi_q9uL-PvKAh XBkpQKHWvDBFkQ6AEIWjAH#v=onepage&q=mac%20%22active%20directory%22%20%22direc tory%20utility%22%20mappings%20uid&f=false> &pg=PA111&lpg=PA111&dq=mac+%22active+directory%22+%22directory+utility%22+ma ppings+uid&source=bl&ots=s0fMZSMr8r&sig=uuyWWE-jzlimQ9U49sZ3KRDAXvI&hl=en&sa =X&ved=0ahUKEwi_q9uL-PvKAhXBkpQKHWvDBFkQ6AEIWjAH#v=onepage&q=mac%20%22active %20directory%22%20%22directory%20utility%22%20mappings%20uid&f=false Specifically: "...it is important that every system bound to Active Directory resolves the same unique ID for any respective user. To accomplish this, Apple uses the first 32 bytes of the user's GUID to generate a numerical value used as a statically mapped value for the OS X unique ID." So, since the Linux Samba is the one using sequential UIDs where it generates a new UID each time a new user is identified, and the Mac is using somewhat AD-generated UIDs, my preference is to somehow make Linux Samba work the same way that Apple generates UIDs. Has anyone done this? Surely it's a simple formula to generate the same UID on Linux, but how would one make Samba use this? I've looked at the idmap attributes in smb.conf(5) and can't figure out where to start. Thanks in advance Brett
Rowland penny
2016-Feb-16 09:59 UTC
[Samba] Mapping UIDs on Linux to same UID as AD-bound Mac is mapping to
On 16/02/16 09:32, Brett Randall wrote:> Hi all > > > > I have a Linux machine bound to AD, and a Mac bound to AD. Both have me log > in with different UIDs for the same AD user. This makes sense, as AD doesn't > have a UNIX-compliant uid/gid attribute.Well as far as Samba is concerned it does and if you add SFU or IDMU to windows AD, it also does, i.e. uidNumber & gidNumber> > > One thing I have found that interests me is this: > > > > https://books.google.com.au/books?id=yNILCwAAQBAJ > <https://books.google.com.au/books?id=yNILCwAAQBAJ&pg=PA111&lpg=PA111&dq=mac > +%22active+directory%22+%22directory+utility%22+mappings+uid&source=bl&ots=s > 0fMZSMr8r&sig=uuyWWE-jzlimQ9U49sZ3KRDAXvI&hl=en&sa=X&ved=0ahUKEwi_q9uL-PvKAh > XBkpQKHWvDBFkQ6AEIWjAH#v=onepage&q=mac%20%22active%20directory%22%20%22direc > tory%20utility%22%20mappings%20uid&f=false> > &pg=PA111&lpg=PA111&dq=mac+%22active+directory%22+%22directory+utility%22+ma > ppings+uid&source=bl&ots=s0fMZSMr8r&sig=uuyWWE-jzlimQ9U49sZ3KRDAXvI&hl=en&sa > =X&ved=0ahUKEwi_q9uL-PvKAhXBkpQKHWvDBFkQ6AEIWjAH#v=onepage&q=mac%20%22active > %20directory%22%20%22directory%20utility%22%20mappings%20uid&f=false > > > > Specifically: > > > > "...it is important that every system bound to Active Directory resolves the > same unique ID for any respective user. To accomplish this, Apple uses the > first 32 bytes of the user's GUID to generate a numerical value used as a > statically mapped value for the OS X unique ID." > > > > So, since the Linux Samba is the one using sequential UIDs where it > generates a new UID each time a new user is identified, and the Mac is using > somewhat AD-generated UIDs, my preference is to somehow make Linux Samba > work the same way that Apple generates UIDs.Whilst something like this may happen sometime in the future, at the moment it doesn't. If you have a mixture of windows, mac and linux machines, you need to use RFC2307 attributes. There is a specific mac vfs module available for samba that may help you, this is vfs_fruit, never used it myself, but I am assured it helps.> > > > Has anyone done this? Surely it's a simple formula to generate the same UID > on Linux, but how would one make Samba use this? I've looked at the idmap > attributes in smb.conf(5) and can't figure out where to start.Have you tried reading the Samba wiki ? See here: https://wiki.samba.org/index.php/Main_Page Rowland> > > Thanks in advance > > > > Brett >
Ralph Boehme
2016-Feb-16 10:10 UTC
[Samba] Mapping UIDs on Linux to same UID as AD-bound Mac is mapping to
Hi, On Tue, Feb 16, 2016 at 08:32:52PM +1100, Brett Randall wrote:> Has anyone done this? Surely it's a simple formula to generate the same UID > on Linux, but how would one make Samba use this? I've looked at the idmap > attributes in smb.conf(5) and can't figure out where to start.this would require a new idmap backend. I've looked into this before, but lacking customer demand never got to do it. And there's one thing that is broken by design in this mapping scheme: collisions. -Ralph -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de,mailto:kontakt at sernet.de
Brett Randall
2016-Feb-16 20:52 UTC
[Samba] Mapping UIDs on Linux to same UID as AD-bound Mac is mapping to
> On Tue, Feb 16, 2016 at 08:32:52PM +1100, Brett Randall wrote: > > Has anyone done this? Surely it's a simple formula to generate the > > same UID on Linux, but how would one make Samba use this? I've looked > > at the idmap attributes in smb.conf(5) and can't figure out where to start. > > this would require a new idmap backend. I've looked into this before, but > lacking customer demand never got to do it. And there's one thing that is > broken by design in this mapping scheme: collisions. > > -RalphThanks Ralph. Is the collisions you're talking about the risk of two GUIDs sharing the same two first 32 bytes? I wondered if this were possible/likely when I read that. Brett.
Brett Randall
2016-Feb-16 21:26 UTC
[Samba] Mapping UIDs on Linux to same UID as AD-bound Mac is mapping to
Rowland writes:> > So, since the Linux Samba is the one using sequential UIDs where it > > generates a new UID each time a new user is identified, and the Mac is > > using somewhat AD-generated UIDs, my preference is to somehow make > > Linux Samba work the same way that Apple generates UIDs. > > Whilst something like this may happen sometime in the future, at the > moment it doesn't. If you have a mixture of windows, mac and linux > machines, you need to use RFC2307 attributes. There is a specific mac vfs > module available for samba that may help you, this is vfs_fruit, never used it > myself, but I am assured it helps.Thanks Rowland, I wasn't aware of RFC2307 and found idmap_ad which may just do what I need. I just need to come up with a plan for populating uidNumber and gidNumber in AD in a way that makes sense and has no room for human error. Looked into vfs_fruit, bit confused about how it would help but will keep researching. Brett.