OK, so since it appears our only recourse is to build a new domain from scratch, how can we prevent this from happening again? We have several Gentoo workstations, a bunch of Windows 7 workstations, and a few NAS devices which run Linux of some flavor. How do we use NIS attributes without killing our domain? The Samba guide even has instructions for using ADUC to set the UID/GID for users and groups. You stated I should only set a GID for "Domain Users", but what about other AD security groups we create? This is a tad confusing since I thought NIS was needed for our Linux systems and the NAS devices. Lead IT/IS Specialist Reach Technology FP, Inc On 01/17/2017 10:57 AM, Rowland Penny via samba wrote:> On Tue, 17 Jan 2017 10:04:23 -0500 > Ryan Ashley via samba <samba at lists.samba.org> wrote: > > Firstly , 'gencache_notrans.tdb' is a cache file and is recreated when > Samba is restarted. > >> Rowland, I was just reading over another thread on this list about the >> inability to access group policy from client machines. The user did >> not have the symlinks setup (I do) but one thing you mentioned was >> using the NIS attributes to set UID/GID numbers for the domain. You >> said we should not do this for certain users and groups, but there is >> no mention of this in the guides to setting up an AD DC, so I have >> always done it. We do this to make our Linux-based NAS devices work. > > The only only windows group that needs a gidNumber attribute is Domain > Users and then only when you use the windbind 'ad' backend on a domain > member. the other windows groups don't need a gidNumber, in fact, as > Domain Admins needs to own directories in sysvol, you definitely > shouldn't give this group a gidNumber. > If you have to set up Samba this way because of your NAS, I would look > closely at your NAS ;-) > >> >> Furthermore, you recommended the user use the idmap lines to ensure >> consistent UID/GID numbers across devices, yet you suggested I turn >> the exact same lines off in my config. Why is this? I understand our >> situations are different, but when should we set winbind to use the AD >> backend and set UID/GID numbers? How do do this so Linux-base file >> services can be accessed by users and come out the same? > > You are mixing up idmap on a DC and a Unix domain member. On a DC, > idmapping is done in idmap.ldb, users & groups are allocated an > xidNumber in the '3000000' range, the number allocated is on the next > number available basis, apart from 'Administrator', 'Domain Users' and > 'nobody' which get '0', '100' and '65534'. > > On a Unix domain member, the two main ways of setting up idmapping is > with the winbind 'rid' and 'ad' backends. The 'rid' backends calculates > an ID from the windows RID, so you don't have to add anything to AD. > This means that whilst, by using the 'rid' backend, you will get the > same ID on every Unix domain member, it will still be different from > the ID on a DC (and the ID will probably be different on other DCs). > > The only way to get the same ID everywhere is to use the 'ad' backend, > If you give a user a uidNumber and run 'net cache flush', this will be > used instead of the xidNumber without modifying smb.conf in any way. > On a Unix domain member it is different, you need to add something > like this: > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > ## map ids from the domain the ranges may not overlap ! > idmap config SAMDOM : backend = ad > idmap config SAMDOM : schema_mode = rfc2307 > idmap config SAMDOM : range = 10000-999999 > > Now provided that the uidNumber attributes you have added are between > 10000 and 999999 AND you have given Domain users a gidNumber in the > same range, getent will display info for your users. > > Now somebody (and I know who) recommended adding those lines to the > smb.conf, but they do nothing on a DC, well they didn't until 4.5.0 > came out and then they started causing errors, so bottom line, don't add > them to a Samba AD DC smb.conf > > Rowland > >
On Thu, 19 Jan 2017 08:32:02 -0500 Ryan Ashley via samba <samba at lists.samba.org> wrote:> OK, so since it appears our only recourse is to build a new domain > from scratch, how can we prevent this from happening again? We have > several Gentoo workstations, a bunch of Windows 7 workstations, and a > few NAS devices which run Linux of some flavor. How do we use NIS > attributes without killing our domain? The Samba guide even has > instructions for using ADUC to set the UID/GID for users and groups. > You stated I should only set a GID for "Domain Users", but what about > other AD security groups we create? This is a tad confusing since I > thought NIS was needed for our Linux systems and the NAS devices. >OK, if you use the winbind 'ad' backend on Unix domain members, you need to give the Windows group, that the users 'primaryGroupID' attribute points to, a gidNumber. The 'primaryGroupID' usually points to '513', which is the RID for Domain Users. If you do not give the users primary group a gidnumber, the winbind 'ad' backend will ignore all users, even if you have given every user a uidNumber. This is the only group that you must give a gidNumber to if you're using the winbind 'ad' backend on Unix domain members. If you don't use the winbind 'ad' backend, then you do not need to add anything to users and groups in AD. If you do use the winbind 'ad' backend, then any of the Well Known SIDs will be mapped via the '*' domain lines in smb.conf on the domain members. If you create any users or groups and you want them to be visible on Unix domain members, you will need to give them a uidNumber or gidNumber Some people give Domain Admins a gidNumber, I cannot advise doing this. This is because windows has the concept of a group owning directories and files. On Unix, only a user can own directories and files and Domain Admins needs to own Directories in sysvol. I hope this helps, but as always, any questions, just ask. Rowland
Yes, this does not make sense. If I have member file servers, and I want to be in control of which groups can access what, surely winbind needs to be able to get a GID from AD? It may be different in our case as we migrated from classic Samba, but every non-builtin group we have has a GID assigned and it works perfectly. Indeed, if I create a new group without assigning a Unix GID, it is not even visible on the member file servers, so IMHO the advice you've been given is not correct. Your non-builtin groups that you use for file access controls must have a GID number if you're using rfc idmap. I understand that idmap configuration is not usable on a DC. Cheers Alex On 19/01/17 13:32, Ryan Ashley via samba wrote:> OK, so since it appears our only recourse is to build a new domain from > scratch, how can we prevent this from happening again? We have several > Gentoo workstations, a bunch of Windows 7 workstations, and a few NAS > devices which run Linux of some flavor. How do we use NIS attributes > without killing our domain? The Samba guide even has instructions for > using ADUC to set the UID/GID for users and groups. You stated I should > only set a GID for "Domain Users", but what about other AD security > groups we create? This is a tad confusing since I thought NIS was needed > for our Linux systems and the NAS devices. > > Lead IT/IS Specialist > Reach Technology FP, Inc > > On 01/17/2017 10:57 AM, Rowland Penny via samba wrote: >> On Tue, 17 Jan 2017 10:04:23 -0500 >> Ryan Ashley via samba <samba at lists.samba.org> wrote: >> >> Firstly , 'gencache_notrans.tdb' is a cache file and is recreated when >> Samba is restarted. >> >>> Rowland, I was just reading over another thread on this list about the >>> inability to access group policy from client machines. The user did >>> not have the symlinks setup (I do) but one thing you mentioned was >>> using the NIS attributes to set UID/GID numbers for the domain. You >>> said we should not do this for certain users and groups, but there is >>> no mention of this in the guides to setting up an AD DC, so I have >>> always done it. We do this to make our Linux-based NAS devices work. >> The only only windows group that needs a gidNumber attribute is Domain >> Users and then only when you use the windbind 'ad' backend on a domain >> member. the other windows groups don't need a gidNumber, in fact, as >> Domain Admins needs to own directories in sysvol, you definitely >> shouldn't give this group a gidNumber. >> If you have to set up Samba this way because of your NAS, I would look >> closely at your NAS ;-) >> >>> Furthermore, you recommended the user use the idmap lines to ensure >>> consistent UID/GID numbers across devices, yet you suggested I turn >>> the exact same lines off in my config. Why is this? I understand our >>> situations are different, but when should we set winbind to use the AD >>> backend and set UID/GID numbers? How do do this so Linux-base file >>> services can be accessed by users and come out the same? >> You are mixing up idmap on a DC and a Unix domain member. On a DC, >> idmapping is done in idmap.ldb, users & groups are allocated an >> xidNumber in the '3000000' range, the number allocated is on the next >> number available basis, apart from 'Administrator', 'Domain Users' and >> 'nobody' which get '0', '100' and '65534'. >> >> On a Unix domain member, the two main ways of setting up idmapping is >> with the winbind 'rid' and 'ad' backends. The 'rid' backends calculates >> an ID from the windows RID, so you don't have to add anything to AD. >> This means that whilst, by using the 'rid' backend, you will get the >> same ID on every Unix domain member, it will still be different from >> the ID on a DC (and the ID will probably be different on other DCs). >> >> The only way to get the same ID everywhere is to use the 'ad' backend, >> If you give a user a uidNumber and run 'net cache flush', this will be >> used instead of the xidNumber without modifying smb.conf in any way. >> On a Unix domain member it is different, you need to add something >> like this: >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> ## map ids from the domain the ranges may not overlap ! >> idmap config SAMDOM : backend = ad >> idmap config SAMDOM : schema_mode = rfc2307 >> idmap config SAMDOM : range = 10000-999999 >> >> Now provided that the uidNumber attributes you have added are between >> 10000 and 999999 AND you have given Domain users a gidNumber in the >> same range, getent will display info for your users. >> >> Now somebody (and I know who) recommended adding those lines to the >> smb.conf, but they do nothing on a DC, well they didn't until 4.5.0 >> came out and then they started causing errors, so bottom line, don't add >> them to a Samba AD DC smb.conf >> >> Rowland >> >>-- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
On Sat, 21 Jan 2017 18:05:52 +0000 Alex Crow via samba <samba at lists.samba.org> wrote:> Yes, this does not make sense. > > If I have member file servers, and I want to be in control of which > groups can access what, surely winbind needs to be able to get a GID > from AD? > > It may be different in our case as we migrated from classic Samba, but > every non-builtin group we have has a GID assigned and it works > perfectly. Indeed, if I create a new group without assigning a Unix > GID, it is not even visible on the member file servers, so IMHO the > advice you've been given is not correct. Your non-builtin groups that > you use for file access controls must have a GID number if you're > using rfc idmap. > > I understand that idmap configuration is not usable on a DC. > > Cheers > > Alex > >OK, lets have a look at the 'idmap config' lines on a Unix domain member: idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config SAMDOM : backend = ad idmap config SAMDOM : schema_mode = rfc2307 idmap config SAMDOM : range = 10000-999999 Now if a user has a uidNumber inside '10000-999999', or a group has a gidNumber inside the same range AND Domain Users has a gidNumber, then they will be shown as members of the 'SAMDOM' domain. Anything else and this includes the Well Known SIDs shown here: https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems will be mapped to the '*' domain using the '2000-9999' range. Just because 'getent' doesn't show the user or group, doesn't mean winbind isn't aware who they are. What you have to ask your self is 'does Unix have to know who this windows user or group is ?' Rowland