thr3ads.net - samba - [Samba] [samba] idmap question [Aug 2017]

If this information is useful, please help other people find it:
Share via:

mathias dufresne

2017-Aug-10 09:44 UTC

[Samba] [samba] idmap question

Hi all,

What is the real purpose if the following lines when using idmap-rid or
idmap-ad:

# Default idmap config for local BUILTIN accounts and groups
idmap config * : backend = tdb
idmap config * : range = 3000-7999

When using the next two lines

# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid [or ad]
idmap config SAMDOM : range = 10000-999999


AD users will be in range 10000-999999, /etc/passwd would be in range
0-2999, what kind of users would be added in range 3000-7999?

Rowland Penny

2017-Aug-10 10:08 UTC

head link

[Samba] [samba] idmap question

On Thu, 10 Aug 2017 11:44:26 +0200
mathias dufresne via samba <samba at lists.samba.org> wrote:
> Hi all,
> 
> What is the real purpose if the following lines when using idmap-rid
> or idmap-ad:
> 
> # Default idmap config for local BUILTIN accounts and groups
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> 
> When using the next two lines
> 
> # idmap config for the SAMDOM domain
> idmap config SAMDOM : backend = rid [or ad]
> idmap config SAMDOM : range = 10000-999999
> 
> 
> AD users will be in range 10000-999999, /etc/passwd would be in range
> 0-2999, what kind of users would be added in range 3000-7999?
the '*' range is for the 'BUILTIN' users and groups (more info
here:
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

It is also used for trusted domains that do not have an idmap config
range set in smb.conf.

You can set the ID for a '*' user or group by giving it a uidNumber or
gidNumber, this moves it to the 'DOMAIN' range, the most usual one to
move is 'Domain Users'

Rowland

L.P.H. van Belle

2017-Aug-10 10:19 UTC

head link

[Samba] [samba] idmap question

Hai Mathias, 

Type:  wbinfo --all-domains 

You should see 3 domainnames. 

BUILTIN	=> idmap config *
HOSTNAME	=> ? Dont know where this one maps to. 
NTDOM		=> idmap config NTDOM

I use for example ( for debian ) the following.
I use this as followed. 
 
    ## map id's outside to NT domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-2999

    ## map ids from the domain and (*) the range may not overlap !
    idmap config NTDOM : backend = ad
    idmap config NTDOM : schema_mode = rfc2307
    idmap config NTDOM : range = 10000-3999999

And i think, but i never use that you can match the hostname also. 
Like,     
	idmap config HOSTNAME : backend = tdb
      idmap config HOSTNAME : range = 3000-9999
! But I cant confirm about the "HOSTNAME" part if thats 100% correct. 

Id 0-1999   (local linux users) 0-999 for system users (*this can differ on an
other os. )
2000-2999	BUILDIN\......   ( example is BUILDIN\administrators) 
3000-9999	HOSTNAME\ ? 
10000-99999	NTDOM\users  i start here at 10.000 because samba backend AD starts
also at 10.000.

Now "NTDOM\Domain Admins" is member of : BUILDIN\administrators
And "NTDOM\Domain users" is member of : BUILDIN\users

SePrivileges should be set on : BUILDIN\administrators, and not as most examples
show "domain admins"
And because of this you should always set : winbind expand groups = 2
But I preffer winbind expand groups = 4
Backtrace for example very thing backup related and see which groups are used
and with SePrivileges you should set.

For me this has advantages, like.
Restricting logins based on linux and windows group/users, of uid/gid ranges. 
And for me more flexability in use of winbind or ldap things.

(an example, sshd_config: AllowGroups linuxsshgroup winsshgroup) 
* Note: for this user and group MUST have a gid.
This also matches pam restrictions better, kerberos had minimal of uid=1000 

For RID its the same, but see AD/RID advantages and disadvantages also. 

Hope this helps a bit. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> mathias dufresne via samba
> Verzonden: donderdag 10 augustus 2017 11:44
> Aan: samba
> Onderwerp: [Samba] [samba] idmap question
> 
> Hi all,
> 
> What is the real purpose if the following lines when using 
> idmap-rid or
> idmap-ad:
> 
> # Default idmap config for local BUILTIN accounts and groups 
> idmap config * : backend = tdb idmap config * : range = 3000-7999
> 
> When using the next two lines
> 
> # idmap config for the SAMDOM domain
> idmap config SAMDOM : backend = rid [or ad] idmap config 
> SAMDOM : range = 10000-999999
> 
> 
> AD users will be in range 10000-999999, /etc/passwd would be 
> in range 0-2999, what kind of users would be added in range 3000-7999?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Rowland Penny

2017-Aug-10 10:51 UTC

head link

[Samba] [samba] idmap question

On Thu, 10 Aug 2017 12:19:36 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Mathias, 
> 
> Type:  wbinfo --all-domains 
> 
> You should see 3 domainnames. 
> 
> BUILTIN	=> idmap config *
> HOSTNAME	=> ? Dont know where this one maps to. 
> NTDOM		=> idmap config NTDOM
On a Unix domain member, I get 4

BUILTIN
HOSTNAME
NTDOM
EXAMPLE

I have no idea where 'EXAMPLE' comes from, I have never set up any
smb.conf that contains 'workgroup = EXAMPLE' on the Unix domain member.
> 
> I use for example ( for debian ) the following.
> I use this as followed. 
>  
>     ## map id's outside to NT domain to tdb files.
>     idmap config *: backend = tdb
>     idmap config *: range = 2000-2999
> 
>     ## map ids from the domain and (*) the range may not overlap !
>     idmap config NTDOM : backend = ad
>     idmap config NTDOM : schema_mode = rfc2307
>     idmap config NTDOM : range = 10000-3999999
> 
> And i think, but i never use that you can match the hostname also. 
> Like,     
> 	idmap config HOSTNAME : backend = tdb
>       idmap config HOSTNAME : range = 3000-9999
> ! But I cant confirm about the "HOSTNAME" part if thats 100%
correct.
It probably would work, but I have never tried it.
> 
> Id 0-1999   (local linux users) 0-999 for system users (*this can
> differ on an other os. ) 2000-2999	BUILDIN\......   ( example
> is BUILDIN\administrators) 3000-9999	HOSTNAME\ ? 
> 10000-99999	NTDOM\users  i start here at 10.000 because samba
> backend AD starts also at 10.000.
> 
> Now "NTDOM\Domain Admins" is member of : BUILDIN\administrators
> And "NTDOM\Domain users" is member of : BUILDIN\users
> 
> SePrivileges should be set on : BUILDIN\administrators, and not as
> most examples show "domain admins" And because of this you should
> always set : winbind expand groups = 2 But I preffer winbind expand
> groups = 4 Backtrace for example very thing backup related and see
> which groups are used and with SePrivileges you should set.
Never tried this, but you are quite correct, you should NEVER give
'Domain Admins' a gidNumber. I do it another way, I create a group
'Unix Admins', give this group a gidNumber and add this to 'Domain
Admins'

Rowland

Reasonably Related Threads

Search for more reasonably related threads

samba - Aug 2017 - idmap question

[Samba] [samba] idmap question

[Samba] [samba] idmap question

[Samba] [samba] idmap question

[Samba] [samba] idmap question

Reasonably Related Threads