samba - Jan 2018 - Avoiding uid conflicts between rfc2307 user/groups and computers

On 2018-01-12 at 16:56 +0000 Rowland Penny sent off:
> Surely the authentication of choice would be kerberos and this wouldn't
> require a posix account.
Rowland, you sound very confident, but still that doesn't make it right. The
posix account needs to exist for smbd to be able to switch to the context of
the connecting (computer) user. This is not a matter of the authentication
mechanism.

Björn
-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

On Fri, 12 Jan 2018 18:14:05 +0100
Björn JACKE via samba <samba at lists.samba.org> wrote:
> On 2018-01-12 at 16:56 +0000 Rowland Penny sent off:
> > Surely the authentication of choice would be kerberos and this
> > wouldn't require a posix account.
> 
> Rowland, you sound very confident, but still that doesn't make it
> right. The posix account needs to exist for smbd to be able to switch
> to the context of the connecting (computer) user. This is not a
> matter of the authentication mechanism.
> 
> Björn
As far as I am aware, the client connects to a DC to authenticate a
user and before the user is authenticated, the client is checked to see
if it is a domain member. The method of choice for the computer
authentication is kerberos, this does not require posix attributes.

I am not disputing what you say, I am just asking for concrete proof
that a computer account MUST have a uidNumber account.

Rowland

Thank you very much for your help !!

The problem is that I need a way to create the ID numbers without
overwriting the previous one as I don't use ADUC but shell scripts.
This is why I use the xidNumber generation (on one specific DC) that
take care of that. This idea is not from me, it was used long time ago
by a Spanish IT that often come here ;) ( but his method has changed
maybe .... )

Is there a way built in Samba to do it ? Because, as my shares are
also exported with NFSv4, I need consistent id mapping between Samba
and NFS. This also help backing up files because they can be restored
on any file server by saving the ACLs and xattrs.

Do you think that is a good idea to assign to rfc2307 the xidNumber +
100000 to avoid idmap.ldb overwriting the ID ?

But there is still a problem for computer accounts. Is there exist a
automatic way to assign uidNumbers to computers when joining to the
domain ?

Thank again !

Baptiste.


2018-01-12 18:27 GMT+01:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Fri, 12 Jan 2018 18:14:05 +0100
> Björn JACKE via samba <samba at lists.samba.org> wrote:
>
>> On 2018-01-12 at 16:56 +0000 Rowland Penny sent off:
>> > Surely the authentication of choice would be kerberos and this
>> > wouldn't require a posix account.
>>
>> Rowland, you sound very confident, but still that doesn't make it
>> right. The posix account needs to exist for smbd to be able to switch
>> to the context of the connecting (computer) user. This is not a
>> matter of the authentication mechanism.
>>
>> Björn
>
> As far as I am aware, the client connects to a DC to authenticate a
> user and before the user is authenticated, the client is checked to see
> if it is a domain member. The method of choice for the computer
> authentication is kerberos, this does not require posix attributes.
>
> I am not disputing what you say, I am just asking for concrete proof
> that a computer account MUST have a uidNumber account.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> I am not disputing what you say, I am just asking for concrete proof
> that a computer account MUST have a uidNumber account.
Rowland, it is not (only) a matter of authentication, it is a matter of
'act' with machine account.


I've digged a bit but found nothing than (i use WPKG as deployment
system, it is only an example):

	https://wpkg.org/System_User
	https://wpkg.org/SYSTEM_user_Command_Prompt

probably was some old thread in mailing list; anyway, SYSTEM user can
act (eg, access shares) with the machine account credentials; AFAIK
accessing as SYSTEM to a share will trigger an access with machine
account, and as fallback as anonymous/Everyone.


So, if you mean that machine account can auth without UID, it is right;
if they need access (non anonymous) to some share, i suppose a UID is
needed.


I hope i was clear.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)