Rowland penny
2016-Jul-28 12:15 UTC
[Samba] Why is Samba4 not recommended as a file server?
On 28/07/16 11:53, mathias dufresne wrote:> > > 2016-07-28 12:27 GMT+02:00 Rowland penny <rpenny at samba.org > <mailto:rpenny at samba.org>>: > > On 28/07/16 10:32, mathias dufresne wrote: > > Can you explain why it would be an issue giving GID to "Domain > Admins" group? > > > This is because Domain Admins has to own group policies in sysvol, > not as a group but as a user. If you give Domain Admins a > gidNumber, it becomes purely a group, so it cannot own the group > policies as a user. > > This need sounds very strange to me... Why a group would need to be > considered as a user? > > I noticed earlier that groups are considered as users when it comes to > sysvol's ACLs. I thought it was because Samba was treating with XID > rather than UID and GID, and that use of XID is not precise enough to > make difference between users and groups, so to be sure Samba was > putting ACL on both sides (user ACL and group ACL). All that tought > because Samba relies on idmap and in idmap.ldb there is no UID/GID but > only XID. > > I don't think Windows clients are expecting to find groups in users' > ACLs so I'm really wondering why that would be an issue... >Yes it does sound strange, but, on windows, groups can and do own directories & files. An xidNumber is just that, a number, it is the context in how that number is used that is important. If you give Domain Admins a gidNumber attribute, then Domain Admins becomes just a group, but if you examine Domain Admins object in idmap.ldb, you will find that it is type 'ID_TYPE_BOTH'. This means that as far as Unix is concerned, Domain Admins is both a user and a group, so it can own dirs & files. Rowland
On Thu, 28 Jul 2016 13:15:43 +0100 Rowland penny <rpenny at samba.org> wrote: [snip]> > Yes it does sound strange, but, on windows, groups can and do own > directories & files. An xidNumber is just that, a number, it is the > context in how that number is used that is important. If you give > Domain Admins a gidNumber attribute, then Domain Admins becomes just > a group, ...[snip] Hmmm... ---------------------------------------------------------------------- $ ldapsearch -x -ZZZ -b 'ou=Groups,dc=example,dc=com' 'cn=Domain Admins' # extended LDIF # # LDAPv3 # base <ou=Groups,dc=example,dc=com> with scope subtree # filter: cn=Domain Admins # requesting: ALL # # Domain Admins, Groups, example.com dn: cn=Domain Admins,ou=Groups,dc=example,dc=com objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping cn: Domain Admins gidNumber: 512 memberUid: root description: Netbios Domain Administrators sambaSID: S-1-5-21-3861070848-2803670205-3675378528-512 sambaGroupType: 2 displayName: Domain Admins # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1 $ ldapmodify -x -ZZZ -W -D 'cn=admin,dc=example,dc=com' Enter LDAP Password: dn: cn=Domain Users,ou=Groups,dc=example,dc=com changetype: modify delete: gidNumber modifying entry "cn=Domain Users,ou=Groups,dc=example,dc=com" ^D ldap_modify: Object class violation (65) additional info: object class 'posixGroup' requires attribute 'gidNumber' ---------------------------------------------------------------------- To me this implies that "posixGroup"s and an AD are incompatible? (N.B.: I'm only posting this to satisfy my curiousity, not for any practical reason.) Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Achim Gottinger
2016-Jul-28 13:17 UTC
[Samba] Why is Samba4 not recommended as a file server?
Am 28.07.2016 um 14:59 schrieb Jim Seymour:> On Thu, 28 Jul 2016 13:15:43 +0100 > Rowland penny <rpenny at samba.org> wrote: > > [snip] >> Yes it does sound strange, but, on windows, groups can and do own >> directories & files. An xidNumber is just that, a number, it is the >> context in how that number is used that is important. If you give >> Domain Admins a gidNumber attribute, then Domain Admins becomes just >> a group, ... > [snip] > > Hmmm... > > ---------------------------------------------------------------------- > $ ldapsearch -x -ZZZ -b 'ou=Groups,dc=example,dc=com' 'cn=Domain Admins' > # extended LDIF > # > # LDAPv3 > # base <ou=Groups,dc=example,dc=com> with scope subtree > # filter: cn=Domain Admins > # requesting: ALL > # > > # Domain Admins, Groups, example.com > dn: cn=Domain Admins,ou=Groups,dc=example,dc=com > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > cn: Domain Admins > gidNumber: 512 > memberUid: root > description: Netbios Domain Administrators > sambaSID: S-1-5-21-3861070848-2803670205-3675378528-512 > sambaGroupType: 2 > displayName: Domain Admins > > # search result > search: 3 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > $ ldapmodify -x -ZZZ -W -D 'cn=admin,dc=example,dc=com' > Enter LDAP Password: > dn: cn=Domain Users,ou=Groups,dc=example,dc=com > changetype: modify > delete: gidNumber > modifying entry "cn=Domain Users,ou=Groups,dc=example,dc=com" > ^D > ldap_modify: Object class violation (65) > additional info: object class 'posixGroup' requires attribute > 'gidNumber' > > ---------------------------------------------------------------------- > > To me this implies that "posixGroup"s and an AD are incompatible? > > (N.B.: I'm only posting this to satisfy my curiousity, not for any > practical reason.) > > Regards, > JimHello Jim, What is the result of getent passwd "Domain Admins"? 'getent group "Domain Admins"' should return the gid 512 but above may return an value from idmap.ldb achim~
Rowland penny
2016-Jul-28 13:28 UTC
[Samba] Why is Samba4 not recommended as a file server?
On 28/07/16 13:59, Jim Seymour wrote:> On Thu, 28 Jul 2016 13:15:43 +0100 > Rowland penny <rpenny at samba.org> wrote: > > [snip] >> Yes it does sound strange, but, on windows, groups can and do own >> directories & files. An xidNumber is just that, a number, it is the >> context in how that number is used that is important. If you give >> Domain Admins a gidNumber attribute, then Domain Admins becomes just >> a group, ... > [snip] > > Hmmm... > > ---------------------------------------------------------------------- > $ ldapsearch -x -ZZZ -b 'ou=Groups,dc=example,dc=com' 'cn=Domain Admins' > # extended LDIF > # > # LDAPv3 > # base <ou=Groups,dc=example,dc=com> with scope subtree > # filter: cn=Domain Admins > # requesting: ALL > # > > # Domain Admins, Groups, example.com > dn: cn=Domain Admins,ou=Groups,dc=example,dc=com > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > cn: Domain Admins > gidNumber: 512 > memberUid: root > description: Netbios Domain Administrators > sambaSID: S-1-5-21-3861070848-2803670205-3675378528-512 > sambaGroupType: 2 > displayName: Domain Admins > > # search result > search: 3 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > $ ldapmodify -x -ZZZ -W -D 'cn=admin,dc=example,dc=com' > Enter LDAP Password: > dn: cn=Domain Users,ou=Groups,dc=example,dc=com > changetype: modify > delete: gidNumber > modifying entry "cn=Domain Users,ou=Groups,dc=example,dc=com" > ^D > ldap_modify: Object class violation (65) > additional info: object class 'posixGroup' requires attribute > 'gidNumber' > > ---------------------------------------------------------------------- > > To me this implies that "posixGroup"s and an AD are incompatible? > > (N.B.: I'm only posting this to satisfy my curiousity, not for any > practical reason.) > > Regards, > JimTwo things here, I was talking AD and your ldif is from an NT4-style ldap domain and in AD you don't need to explicitly set the posixGroup objectClass. Rowland
On Thu, 28 Jul 2016 13:15:43 +0100 Rowland penny <rpenny at samba.org> wrote:> > On 28/07/16 11:53, mathias dufresne wrote: > > > > > > 2016-07-28 12:27 GMT+02:00 Rowland penny <rpenny at samba.org > > <mailto:rpenny at samba.org>>: > > > > On 28/07/16 10:32, mathias dufresne wrote: > > > > Can you explain why it would be an issue giving GID to "Domain > > Admins" group? > > > > > > This is because Domain Admins has to own group policies in sysvol, > > not as a group but as a user. If you give Domain Admins a > > gidNumber, it becomes purely a group, so it cannot own the group > > policies as a user. > > > > This need sounds very strange to me... Why a group would need to be > > considered as a user? > > > > I noticed earlier that groups are considered as users when it comes to > > sysvol's ACLs. I thought it was because Samba was treating with XID > > rather than UID and GID, and that use of XID is not precise enough to > > make difference between users and groups, so to be sure Samba was > > putting ACL on both sides (user ACL and group ACL). All that tought > > because Samba relies on idmap and in idmap.ldb there is no UID/GID but > > only XID. > > > > I don't think Windows clients are expecting to find groups in users' > > ACLs so I'm really wondering why that would be an issue... > > > > Yes it does sound strange, but, on windows, groups can and do own > directories & files. An xidNumber is just that, a number, it is the > context in how that number is used that is important. If you give Domain > Admins a gidNumber attribute, then Domain Admins becomes just a group, > but if you examine Domain Admins object in idmap.ldb, you will find that > it is type 'ID_TYPE_BOTH'. This means that as far as Unix is concerned, > Domain Admins is both a user and a group, so it can own dirs & files. > > RowlandTo add my two-cents worth, I did have a problem adding users to the 'Administrators' group (if that is what this subject relates to). Doing this caused any file created by such users to be created with the Administrator's UID of 3000000, not with their own UID. Rowland Penny figured this out for me. See my final email on this in this list dated August 25, 2015 00:13 EDT, and, generally, the thread subject "Samba4 DC/AD documents created in redirected folders with bogus UID", in this maillist. According to Rowland, van Belle and other contributors to that thread, this is normal Microsoft behavoir and, as such, is probably appropriate for Samba4 if it has a goal of aping Microsoft's AD, even if Microsoft's reasons for doing so are obscure. See this link provided by Rowland: http://serverfault.com/questions/19311/file-ownership-for-new-files-with-administrator-why-is-it-giving-ownership-to --Mark