samba - Jun 2016 - Samba 4 Member server show diferent UID than Ad Server

Without UID and / or GID configured into AD database (into LDAP tree) Samba
would give UID / GID to users and groups when needed, and as nothing is
written, Samba has to guess. This guessing process is called id mapping.

Samba does not synchronize generated file containing this ID map. No
synchronization and xID random xID fathers to xID inconsistency.

This is not necessarily an issue: with only one DC (a config I can't
approve) no issue: Sysvol is hosted by only one DC, no inconsistency when
your are alone (that's when you met people that craziness appears :). File
servers do not host same files normally: AD DC are hosting Sysvol and
NetLogon and these both shares are not hosted on file servers which are
hosting others files. Different files so no issue with rights... as long as
you don't have to make copy or displace files from server to server, in
that case that could be a mess..

Solution seems to be:
- give UID/GID to everything in AD. Your users and those in CN=BUILTIN and
CN=Users too.
- synchronize private/idmap.ldb across your DC at least (they all host
Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members
servers seem to not have that file.
- use "net cache flush" to clear idmap cache on every server (members
included). Once cache is cleared, Winbind would need to find out what
UID/GID to use, it should now rely on UID:GID declared into AD database and
the issue should disappear.

2016-06-14 9:14 GMT+02:00 Mueller <mueller at tropenklinik.de>:
> So you need to configure winbindd the right way to solve this.
> In deed if you have another UID it can result in "access
refused".
> This is an issue I treid to discuss since samba4 started and I think this
> should be an integrated thing in samba ads to member server
> Without having admins to bother about.
>
> Greetings
> Daniel
>
>
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Juan Ignacio [mailto:juan.ignacio.pazos at gmail.com]
> Gesendet: Montag, 13. Juni 2016 17:32
> An: samba at lists.samba.org
> Betreff: [Samba] Samba 4 Member server show diferent UID than Ad Server
>
> Hello friends, I come to ask for a hand.
>
> I have an AD server with Samba 4.1 and added a Member Server 4.4 without
> problems.
>
> The only problem I'm having is that the UID of users in the Member
Server
> are different from the AD server.
>
> Ad Server
>
> KENNEDY\florenciaelmone:*:3000679:100:Florencia Elmone
> Domingues:/home/KENNEDY/florenciaelmone:/bin/false
>
> Member Server
>
> florenciaelmone:*:100002:100008:Florencia Elmone
> Domingues:/home/KENNEDY/florenciaelmone:/bin/false
>
> Some way to resolve this?
>
> Thanks.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I like the idea.

- synchronize private/idmap.ldb across your DC at least (they all host
Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members
servers seem to not have that file.

But in my Domain Controler I do not find this file.

I found the file in the AD DC.

There any way to avoid adding UID users, or impossible without doing this.
They are as 300 users.

Analista Inf.
Juan Ignacio Pazos
<http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>

2016-06-14 7:23 GMT-03:00 mathias dufresne <infractory at gmail.com>:
> Without UID and / or GID configured into AD database (into LDAP tree) Samba
> would give UID / GID to users and groups when needed, and as nothing is
> written, Samba has to guess. This guessing process is called id mapping.
>
> Samba does not synchronize generated file containing this ID map. No
> synchronization and xID random xID fathers to xID inconsistency.
>
> This is not necessarily an issue: with only one DC (a config I can't
> approve) no issue: Sysvol is hosted by only one DC, no inconsistency when
> your are alone (that's when you met people that craziness appears :).
File
> servers do not host same files normally: AD DC are hosting Sysvol and
> NetLogon and these both shares are not hosted on file servers which are
> hosting others files. Different files so no issue with rights... as long as
> you don't have to make copy or displace files from server to server, in
> that case that could be a mess..
>
> Solution seems to be:
> - give UID/GID to everything in AD. Your users and those in CN=BUILTIN and
> CN=Users too.
> - synchronize private/idmap.ldb across your DC at least (they all host
> Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members
> servers seem to not have that file.
> - use "net cache flush" to clear idmap cache on every server
(members
> included). Once cache is cleared, Winbind would need to find out what
> UID/GID to use, it should now rely on UID:GID declared into AD database and
> the issue should disappear.
>
> 2016-06-14 9:14 GMT+02:00 Mueller <mueller at tropenklinik.de>:
>
> > So you need to configure winbindd the right way to solve this.
> > In deed if you have another UID it can result in "access
refused".
> > This is an issue I treid to discuss since samba4 started and I think
this
> > should be an integrated thing in samba ads to member server
> > Without having admins to bother about.
> >
> > Greetings
> > Daniel
> >
> >
> > EDV Daniel Müller
> >
> > Leitung EDV
> > Tropenklinik Paul-Lechler-Krankenhaus
> > Paul-Lechler-Str. 24
> > 72076 Tübingen
> > Tel.: 07071/206-463, Fax: 07071/206-499
> > eMail: mueller at tropenklinik.de
> > Internet: www.tropenklinik.de
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Juan Ignacio [mailto:juan.ignacio.pazos at gmail.com]
> > Gesendet: Montag, 13. Juni 2016 17:32
> > An: samba at lists.samba.org
> > Betreff: [Samba] Samba 4 Member server show diferent UID than Ad
Server
> >
> > Hello friends, I come to ask for a hand.
> >
> > I have an AD server with Samba 4.1 and added a Member Server 4.4
without
> > problems.
> >
> > The only problem I'm having is that the UID of users in the Member
Server
> > are different from the AD server.
> >
> > Ad Server
> >
> > KENNEDY\florenciaelmone:*:3000679:100:Florencia Elmone
> > Domingues:/home/KENNEDY/florenciaelmone:/bin/false
> >
> > Member Server
> >
> > florenciaelmone:*:100002:100008:Florencia Elmone
> > Domingues:/home/KENNEDY/florenciaelmone:/bin/false
> >
> > Some way to resolve this?
> >
> > Thanks.
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

2016-06-14 16:52 GMT+02:00 Juan Ignacio <juan.ignacio.pazos at gmail.com>:
> I like the idea.
>
> - synchronize private/idmap.ldb across your DC at least (they all host
> Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members
> servers seem to not have that file.
>
> But in my Domain Controler I do not find this file.
>
I expect you meant "domain member" rather tha "domain
controller". Domain
member don't have that file.

>
> I found the file in the AD DC.
>
Yep it exists on AD DC.

>
> There any way to avoid adding UID users, or impossible without doing this.
> They are as 300 users.
>
As I explained below (previous mail) the fact UID/GID are not the same
between DC and file servers is not necessarily an issue: these UID/GID are
used by Samba to translate Windows identity to UNIX identity (Windows users
from Windows clients accessing Windows shares hosted by Samba, on Linux
system and so hosted by Linux file system, rights on Linux FS are done
using UID/GID).

Now if you are a bit lost with all these rights management or if you want
limit risk in future (more DC, using DFS or whatever) the simpler is to set
up UID and GID to every users and every groups.

You will have to set up GID on groups first, then UID (and GID) on users if
you do that manually using ADUC (at least it was the case I believe when I
tested).

To avoid doing that manually: script it! Chaining ldbsearch to list groups
then to list users, awk to read the result of ldbsearch and to write
resultant LDIF file.

Then you run one command: ldbmodify -H $sam
/path/to/your/newly/created/file/ldif
This command should modify all users and groups as defined into LDIF file,
adding uidNumber and/or gidNumber to groups and users if the script is
correct enough.

Have fun ;)

>
> Analista Inf.
> Juan Ignacio Pazos
> <http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
>
> 2016-06-14 7:23 GMT-03:00 mathias dufresne <infractory at gmail.com>:
>
>> Without UID and / or GID configured into AD database (into LDAP tree)
>> Samba
>> would give UID / GID to users and groups when needed, and as nothing is
>> written, Samba has to guess. This guessing process is called id
mapping.
>>
>> Samba does not synchronize generated file containing this ID map. No
>> synchronization and xID random xID fathers to xID inconsistency.
>>
>> This is not necessarily an issue: with only one DC (a config I
can't
>> approve) no issue: Sysvol is hosted by only one DC, no inconsistency
when
>> your are alone (that's when you met people that craziness appears
:). File
>> servers do not host same files normally: AD DC are hosting Sysvol and
>> NetLogon and these both shares are not hosted on file servers which are
>> hosting others files. Different files so no issue with rights... as
long
>> as
>> you don't have to make copy or displace files from server to
server, in
>> that case that could be a mess..
>>
>> Solution seems to be:
>> - give UID/GID to everything in AD. Your users and those in CN=BUILTIN
and
>> CN=Users too.
>> - synchronize private/idmap.ldb across your DC at least (they all host
>> Sysvol, sysvol is rsynced, here you can have issues with UID/GID).
Members
>> servers seem to not have that file.
>> - use "net cache flush" to clear idmap cache on every server
(members
>> included). Once cache is cleared, Winbind would need to find out what
>> UID/GID to use, it should now rely on UID:GID declared into AD database
>> and
>> the issue should disappear.
>>
>> 2016-06-14 9:14 GMT+02:00 Mueller <mueller at tropenklinik.de>:
>>
>> > So you need to configure winbindd the right way to solve this.
>> > In deed if you have another UID it can result in "access
refused".
>> > This is an issue I treid to discuss since samba4 started and I
think
>> this
>> > should be an integrated thing in samba ads to member server
>> > Without having admins to bother about.
>> >
>> > Greetings
>> > Daniel
>> >
>> >
>> > EDV Daniel Müller
>> >
>> > Leitung EDV
>> > Tropenklinik Paul-Lechler-Krankenhaus
>> > Paul-Lechler-Str. 24
>> > 72076 Tübingen
>> > Tel.: 07071/206-463, Fax: 07071/206-499
>> > eMail: mueller at tropenklinik.de
>> > Internet: www.tropenklinik.de
>> >
>> >
>> >
>> >
>> > -----Ursprüngliche Nachricht-----
>> > Von: Juan Ignacio [mailto:juan.ignacio.pazos at gmail.com]
>> > Gesendet: Montag, 13. Juni 2016 17:32
>> > An: samba at lists.samba.org
>> > Betreff: [Samba] Samba 4 Member server show diferent UID than Ad
Server
>> >
>> > Hello friends, I come to ask for a hand.
>> >
>> > I have an AD server with Samba 4.1 and added a Member Server 4.4
without
>> > problems.
>> >
>> > The only problem I'm having is that the UID of users in the
Member
>> Server
>> > are different from the AD server.
>> >
>> > Ad Server
>> >
>> > KENNEDY\florenciaelmone:*:3000679:100:Florencia Elmone
>> > Domingues:/home/KENNEDY/florenciaelmone:/bin/false
>> >
>> > Member Server
>> >
>> > florenciaelmone:*:100002:100008:Florencia Elmone
>> > Domingues:/home/KENNEDY/florenciaelmone:/bin/false
>> >
>> > Some way to resolve this?
>> >
>> > Thanks.
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

On 14/06/16 15:52, Juan Ignacio wrote:
> I like the idea.
>
> - synchronize private/idmap.ldb across your DC at least (they all host
> Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members
> servers seem to not have that file.
idmap.ldb is only used on a Samba 4 AD DC, but the contents can be and 
and very often are different on each DC.
>
> But in my Domain Controler I do not find this file.
>
> I found the file in the AD DC.
I don't quite understand this, you have a domain controller that doesn't
have an idmap.ldb file, is this a windows domain controller ?

The idmap.ldb file you found, was this on a secondary AD DC ?
>
> There any way to avoid adding UID users, or impossible without doing this.
> They are as 300 users.
On a domain member, yes.
On a Samba AD DC, yes
There is a problem however, your users on the DC would get a different 
UID compared to the domain member. the same goes for groups.

Rowland