samba - Nov 2016 - D.C. and File Server on the same server...

Rowland Penny via samba wrote:
> On Wed, 09 Nov 2016 15:20:41 -0800
> Linda W <samba at tlinx.org> wrote:
>   
>>>   
>>>       
>>>>     I have been waiting for the 4.x server to become a full
server
>>>> before upgrading from 3.6.22, but it is getting a bit long in
the
>>>> tooth. The requirement that in upgrading to 4.x I'll still
need to
>>>> run a 3.6 server made the upgrade seem like alot of work for
>>>> little gain (I only have a few users and most of them are
"virtual
>>>> me's"...). 
>>>>         
>>> Samba 4 is capable of being a full AD DC.
>>>   
>>>       
>> ---
>>     But is it capable of being a full 3.6.xx file server with the
>> same flexibility in mapping windows-ID's to local unix ID's?
>>     
>
> This is the 'old' way of doing things and Microsoft seems to be
trying
> to make it harder and harder to work with non-AD servers.
>   
----
    Yeah... lovely.
> So no, you don't map windows users to local Unix users, you make them
> local Unix users.
>   
----
    But I can create unix id's that are not windows domain id's.
Various software packages installed on the server want their own ID --
and many of those have nothing to do with Windows.  If I create
the Id from windows, it creates a unix ID as well -- so I think that's
already being done, though not always automatically -- especially if
I have an existing unix ID that I want to have available on
windows.
>>     For example, I have the security groupings in my server's
>> /etc/group file:
>>
>> Low Mandatory Level:!:11604096:
>> Medium Mandatory Level:!:11608192:
>> Medium Plus Mandatory Level:!:11608448:
>> High Mandatory Level:!:11612288:
>> System Mandatory Level:!:11616384:root
>>
>>     on the server, so when I login to windows and bring up cygwin,
>> I see my security label in my group listing.  I have several
>> Win-builtin and well-known ID ranges mapped to unix-ID ranges and
>> that works (at least for identification purposes -- you can't
>> force a Mandatory-level your user id doesn't already have in
windows,
>> but it will show ones you do have if there is a label for them
>> in "winbind".  I use winbind to provide a single-signon from
>> linux or win with the file ownerships being the same for domain
RID's
>> on linux and on windows (win7).
>>     
>
> Just create the groups in AD and you probably wont need cygwin.
>   
----
    I don't need cygwin.  It is handy for printing out all the ID's
associated with a login -- including the mandatory labels.  All of that
isn't in one place on windows -- I used cygwin as an example as it's
an easy way to verify what groups are associated with my ID, which
for Domain groups, you can't easily see in Windows (maybe you can
w/AD, dunno).
>   
>>>   
>>> If you use the DC as a fileserver, then there are a few minor
>>> problems you need to work around, mostly to do with IDs
>>>   
>>>       
>> ----
>>     "Minor problems" -- enough so that it is recommended to
run them
>> on separate machines?
>>     
>
> OK, the main visible problems are, A DC uses xidNumber's by default,
> these are all in the '3000000' range and any Unix domain members
will
> get different IDs. You can work around this by giving Domain users &
> groups a uidNumber or gidNumber, this way, they all get the same ID
> everywhere in Unixland.
> You cannot use the login shell & Unix home directory attributes from AD
> on a DC, you have to use template lines in smb.conf.
>   
---
    Why not?  Can't I configure that range?... FWIW, though, right
now my ID's all map to the same range (as don't rely on
auto-allocation),
like   "idmap config *:range = 0-999999999"  -- just wanted to
make it include all of my mapped ranges.

   I'm not adverse to solving things w/symlinks or mounts on
unix.  For example, I have 'Athenae's (one of my win machines) disk
mounted at '/Athenae' on my unix machine. When I use 'ls -l', on
that dir,
I see links on my win-machine that map to corresponding locations on
my unix machine, like:
l--------- 1            0 Sep 24 14:55 D -> /??/UNC/Bliss/Documents/
l--------- 1            0 Jun 13 18:40 Documents -> /??/UNC/Bliss/Documents/

I.e. the links work the same whether you are on the windows
or the linux machine.  Only works for me at this point, but
since I'm the only person who works on the unix machine, that's
fine at this point.

> You don't really need most of the BUILTIN users & groups to be
visible
> to Unix, winbind will silently map them for you with 'idmap config
> *:backend = tdb'
>   
---
    I need them visible if I want them to display on the
Win machines in security dialogs showing users or groups from
the domain.  I.e. I generally see all of the available ID's
on my server -- which is good, as I don't remember them all,
and they aren't visible on my workstation.  So configuring
the server to enumerate them when I ask for all ID's of a type,
is very convenient if not essential (at least for me, as I don't
use all of them often enough to remember them).

> No, you probably can't have it as easy as you have it now, with AD you
> can have it easier ;-)
>   
----
    For those that already know all the ins and outs, it's
"obvious",
for those who don't -- it's magic... (akin to sufficiently advanced
technology looking like magic... ;-)).

On Thu, 10 Nov 2016 14:41:48 -0800
Linda W <samba at tlinx.org> wrote:
> Rowland Penny via samba wrote:
> >   
> ----
>     But I can create unix id's that are not windows domain id's.
> Various software packages installed on the server want their own ID --
> and many of those have nothing to do with Windows.  If I create
> the Id from windows, it creates a unix ID as well -- so I think that's
> already being done, though not always automatically -- especially if
> I have an existing unix ID that I want to have available on windows.
If you are talking about 'system' accounts (postfix, dovecot, apache,
etc) then these do belong in /etc/passwd and /etc/group. As far as I am
aware, windows doesn't use Unix IDs, it uses SID-RIDs
> >>
> >>     on the server, so when I login to windows and bring up cygwin,
> >> I see my security label in my group listing.  I have several
> >> Win-builtin and well-known ID ranges mapped to unix-ID ranges and
> >> that works (at least for identification purposes -- you can't
> >> force a Mandatory-level your user id doesn't already have in
> >> windows, but it will show ones you do have if there is a label for
> >> them in "winbind".  I use winbind to provide a
single-signon from
> >> linux or win with the file ownerships being the same for domain
> >> RID's on linux and on windows (win7).
> >>     
> >
> > Just create the groups in AD and you probably wont need cygwin.
> >   
> ----
>     I don't need cygwin.  It is handy for printing out all the ID's
> associated with a login -- including the mandatory labels.  All of
> that isn't in one place on windows -- I used cygwin as an example as
> it's an easy way to verify what groups are associated with my ID,
> which for Domain groups, you can't easily see in Windows (maybe you
> can w/AD, dunno).
OK, if you create a user or group in AD it gets a SID-RID, this is one
for Domain Users:

S-1-5-21-1768301897-3342589593-1064908849-513

If I run 'getent group Domain\ Users' on a Unix domain member, I get
this:

domain_users:x:10000:

What! a windows group is usable on Unix, how is this possible ?

This is possible because you can add this to the groups object in AD:

gidNumber: 10000

> 
> >   
> >>>   
> >>> If you use the DC as a fileserver, then there are a few minor
> >>> problems you need to work around, mostly to do with IDs
> >>>   
> >>>       
> >> ----
> >>     "Minor problems" -- enough so that it is recommended
to run
> >> them on separate machines?
> >>     
> >
> > OK, the main visible problems are, A DC uses xidNumber's by
default,
> > these are all in the '3000000' range and any Unix domain
members
> > will get different IDs. You can work around this by giving Domain
> > users & groups a uidNumber or gidNumber, this way, they all get
the
> > same ID everywhere in Unixland.
> > You cannot use the login shell & Unix home directory attributes
> > from AD on a DC, you have to use template lines in smb.conf.
> >   
> ---
>     Why not?  Can't I configure that range?... FWIW, though, right
> now my ID's all map to the same range (as don't rely on
> auto-allocation), like   "idmap config *:range = 0-999999999"  --
> just wanted to make it include all of my mapped ranges.
Firstly, you shouldn't be starting your range at '0', but that is
your
decision. As I said, you do not map, you make your windows users &
groups be Unix users & groups, you are also at liberty to give your
users and groups whatever ID number you like.
> 
>    I'm not adverse to solving things w/symlinks or mounts on
> unix.  For example, I have 'Athenae's (one of my win machines) disk
> mounted at '/Athenae' on my unix machine. When I use 'ls
-l', on that
> dir, I see links on my win-machine that map to corresponding
> locations on my unix machine, like:
> l--------- 1            0 Sep 24 14:55 D -> /??/UNC/Bliss/Documents/
> l--------- 1            0 Jun 13 18:40 Documents
> -> /??/UNC/Bliss/Documents/
> 
> I.e. the links work the same whether you are on the windows
> or the linux machine.  Only works for me at this point, but
> since I'm the only person who works on the unix machine, that's
> fine at this point.
> 
>
Never tried to do this, but it should work on AD as well. Only thing
is, it is usually done the other way around, i.e. the data is stored
on a Unix machine and then mounted on the windows machine. 
 
> > You don't really need most of the BUILTIN users & groups to be
> > visible to Unix, winbind will silently map them for you with
'idmap
> > config *:backend = tdb'
> >   
> ---
>     I need them visible if I want them to display on the
> Win machines in security dialogs showing users or groups from
> the domain.  I.e. I generally see all of the available ID's
> on my server -- which is good, as I don't remember them all,
> and they aren't visible on my workstation.  So configuring
> the server to enumerate them when I ask for all ID's of a type,
> is very convenient if not essential (at least for me, as I don't
> use all of them often enough to remember them).
Go here and read:

https://support.microsoft.com/en-us/kb/243330

They are the BUILTIN users and groups I was referring to, if these
aren't visible on your windows machines, then you have BIG problems.
If you are referring to Unix users and groups, then, as I said, create
them as windows users & groups and then give them a uidNumber or
gidNumber.
> 
> 
> > No, you probably can't have it as easy as you have it now, with AD
> > you can have it easier ;-)
> >   
> ----
>     For those that already know all the ins and outs, it's
"obvious",
> for those who don't -- it's magic... (akin to sufficiently advanced
> technology looking like magic... ;-)).
> 
> 
I would start reading up on using Samba as an AD domain, microsoft
doesn't want you to use NT4-style domains any more and seems to be
making it harder and harder to use them.

A good place to start is here:

https://wiki.samba.org/index.php/Main_Page

Rowland

On Fri, 11 Nov 2016 11:21:17 -0800
L A Walsh <samba at tlinx.org> wrote:
> Rowland Penny via samba wrote:
> > If you are talking about 'system' accounts (postfix, dovecot,
> > apache, etc) then these do belong in /etc/passwd and /etc/group. As
> > far as I am aware, windows doesn't use Unix IDs, it uses SID-RIDs
> >   
> ----
>     System accounts & groups -- I know windows doesn't use the
UID's
> directly -- that's why I have them mapped, and there are very
> few below 500, um like these selections from the group file:
> 
> SYSTEM:S-1-5-18:18:l:root,Domain Administrator
Wrong, so very wrong, root has the Unix ID '0' and is the only Unix
user that needs mapping to, a Samba DC automatically maps Administrator
to 'root' and you can do it on a Unix domain member via a user.map
> Domain Admins:!:512:root,Bliss\root
> Remote Desktop Users:!:555:linw,root,Bliss\linw
Whilst Domain Admins may need to be visible to Unix, Remote Desktop
Users doesn't and you don't need to use the RID as a uidNumber, in
fact it is a bad idea to do so.
 
> 
> I used data files looking like:
> 
> Everyone:x:11100:S-1-1-0,builtin:
> Creator Owner:x:11300:S-1-3-0,builtin:
> Authenticated Users:x:11511:S-1-5-11,builtin:
> Terminal Server Users:x:11513:S-1-5-13,builtin:
> Local System:x:11518:S-1-5-18,builtin:
> Local Service:x:11519:S-1-5-19,builtin:
> Network Service:x:11520:S-1-5-20,builtin:
Not one of these needs to be visible to Unix.
> 
> to map SID's to "ID's" (UID+GID's) via
fixed-forumla's
> with winbind knowing the ID->SID mappings.
> 
> When I ask for a list of available options to put
> in an access list (Where you select a windows-name
> for an access list, hit 'Advanced', and 'Find Now'
> and it queries the server for all options (as in
> attached image).
> 
> Before I added all the well-known and builtin
> SIDS to my server DB, I didn't have most of the
> ones shown in the picture -- just a few.
You have problems!
> >   
> >
> > OK, if you create a user or group in AD it gets a SID-RID, this is
> > one for Domain Users:
> >
> > S-1-5-21-1768301897-3342589593-1064908849-513
> >   
> ---
> Right.
> > If I run 'getent group Domain\ Users' on a Unix domain member,
I get
> > this:
> >
> > domain_users:x:10000:
> >   
> ---
>     I'd get a name of "Domain Users" and a ID of 513.
The name is still the same and as I said, using 513 is a bad idea.

> > What! a windows group is usable on Unix, how is this possible ?
> >   
> ---
>     A windows group with a confusing ID.  I find it less
> confusing if my RID either, equals my ID (ID meaning Unix UID or GID).
> For some RID's I can't use a 1:1, like many in the data
> file fragment I showed above.  I keep them from
> overlapping, by using different, fixed ranges.  Like for
> the Mandatory Levels which have authority SIDs starting
> with S-1-16, I used 116 as a prefix and add the RID (w/
> leading zeros for <5 digits):
> 
> Low Mandatory Level:x:11604096:S-1-16-4096,builtin:
> Medium Mandatory Level:x:11608192:S-1-16-8192,builtin:
> Medium Plus Mandatory Level:x:11608448:S-1-16-8448,builtin:
> High Mandatory Level:x:11612288:S-1-16-12288,builtin:
> System Mandatory Level:x:11616384:S-1-16-16384,builtin:
> Protected Process Mandatory Level:x:11620480:S-1-16-20480,builtin:
> Secure Process Mandatory Level:x:11628672:S-1-16-28672,builtin:
> 
They may not be confusing to you, but they confused me, but it doesn't
make any difference to Unix what ID you use.
  
> 
> 
> > This is possible because you can add this to the groups object in
> > AD:
> >
> > gidNumber: 10000
> >   
> ----
>     Right -- many mapping utils use 1 fixed offset.
No, it isn't a mapping, I just chose to use the same start range that
Windows does.
> 
>     It's just that I'm using several offsets to prevent
> collisions and embed the original SID's in the assigned
> unix ID's.
Why ? you can stop collisions by using the next available uidNumber or
gidNumber, you can also have a user AND a group with the same number,
one would be a uidNumber, the other a gidNumber.
> >   
> >> ---
> >>     Why not?  Can't I configure that range?... FWIW, though,
right
> >> now my ID's all map to the same range (as don't rely on
> >> auto-allocation), like   "idmap config *:range =
0-999999999"  --
> >> just wanted to make it include all of my mapped ranges.
> >>     
> >
> > Firstly, you shouldn't be starting your range at '0', but
that is
> > your decision. As I said, you do not map, you make your windows
> > users & groups be Unix users & groups, you are also at liberty
to
> > give your users and groups whatever ID number you like.
> >   
> ----
>     See above for reasons for using those ranges.
> 
>     Of note: if I had to map users from another domain --
> then I'd likely add some offset to my 'range' ...  (C'est
la vi!).
> 
> > Never tried to do this, but it should work on AD as well. Only thing
> > is, it is usually done the other way around, i.e. the data is stored
> > on a Unix machine and then mounted on the windows machine. 
> >   
> ----
>     All my "data" is stored on the server.  I just have a
> mapping for my primary desktop client onto my server for
> convenience.  It's not used that often.
You wouldn't need the symlink with AD, the data would belong to the
user, whether the user was a windows user or a local Unix user, mainly
because they would be the same user. One thing I forgot to tell you,
you cannot have private user groups i.e. you canoot have a user 'fred'
and a group called 'fred', but this is not a problem.

Your set up is your concern, but can I suggest you forget the old way
of doing things and learn the new ways, in the end I think you will
find it easier to use.
> > Go here and read:
> >
> > https://support.microsoft.com/en-us/kb/243330
> >
> > They are the BUILTIN users and groups I was referring to, if these
> > aren't visible on your windows machines, then you have BIG
problems.
> >   
> ----
>     They usually aren't visible on the drop-down list.  Also,
> in 3.6.x, only a small number of the builtins were mapped at all
> in the samba SW, and most of those were blocked for enumeration
> purposes (poo!)...  Maybe that's changed on 4.x?
Yes it has, if a windows group needs to be used on a Unix machine it
will be mapped by winbind, but this usually only needs to be on a the
Samba AD DC (sysvol etc)
> 
> 
> 
> >
> > I would start reading up on using Samba as an AD domain, microsoft
> > doesn't want you to use NT4-style domains any more and seems to be
> > making it harder and harder to use them.
> >
> > A good place to start is here:
> >
> > https://wiki.samba.org/index.php/Main_Page
> >   
> ---
>     Will do, but as you might glimmer from the above, I have
> a rather customized solution for my *tiny* domain -- I wanted
> it to be a resource for me, as well as providing normal domain
> "stuff" (isn't that a technical term?)...
Too customized if you ask me, I think you have overthought it ;-)

Rowland

Rowland Penny via samba wrote:
> I think you have overthought it ;-)
>   
----
    That is certainly, not, impossible.

;^)

P.s. for the user groups I usually add _g or _grp...
The point was to reserve the ID whether for UID or GID...but
that could also be overthinking it... ;^)