Rowland Penny
2018-Jan-15 14:05 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On Mon, 15 Jan 2018 14:55:55 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > > It is not the SYSTEM user (that is a local user to the > > > workstation, so clearly does not exist on the domain). > > Yes it does. Look at "Builtin\system" which is also "NT > > Authority\System. > > Ahem, clearly every machine (workstation, server; i suppose also the > domain) have a SYSTEM account, but they are ''different'': > MY_SERVER\SYSTEM, MY_DOMAIN\SYSTEM and KAIN\SYSTEM are different > account, and i think have not to be mapped each other... > > > > > But still windows workstation, when accessing some shares with the > > > SYSTEM user, try to logon with the machine account. > > Correct, thats by design, and if you get access denied, you did hit > > the "winbind" "user SYSTEM" bug(s). Fix, use acl_xattr:ignore > > system acl = yes for now. > > ?! Reading the manpage: > > acl_xattr:ignore system acls = [yes|no] > When set to yes, a best effort mapping from/to the POSIX > ACL layer will not be done by this module. The default is no, which > means that Samba keeps setting and evaluating both the system ACLs > and the NT ACLs. This is better if you need your system ACLs be set > for local or NFS file access, too. If you only access the data via > Samba you might set this to yes to achieve better NT ACL > compatibility. > > seems me unrelated. > > What i'm speaking about is that, in Microsoft Server OS (and i suppose > on Samba too ;) access done by local SYSTEM user to a share, trigger > access via the respective machine account. > Some docs corroborate this: > > https://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx > The LocalSystem account is a predefined local account used by > the service control manager. [...] > It has extensive privileges on the local computer, and acts as > the computer on the network. > > https://msdn.microsoft.com/en-us/library/ms677973(VS.85).aspx > When a service runs under the LocalSystem account on a > computer that is a domain member, the service has whatever network > access is granted to the computer account, or to any groups of which > the computer account is a member. > > So, on samba, it is not (only) a matter of ACL: machine account have > to had an UID, to write (or read also...) to a share! > > > Probably i'm missing somethin really ''basic'', but seems obvious to > me... if i use rfc2307, in a domain member (if i use RID backend, or > if i'm in a domain controller, some sort of automatic mapping is in > place...) the only way to have non-anonymous access to shares by > local workstation SYSTEM account is to add UID to machine account... > > > > > If KAIN$ account have no UID (and 'Domain Computers' have no GID), > > > clearly share acess fail. > > No, the computer uses system, but if you test manualy it sets the > > computername. > > No, sorry i've not understood what you mean... >'SYSTEM' is a windows account, there is no concept of the 'SYSTEM' account on Unix, this includes Samba. Please read this: https://wiki.samba.org/index.php/The_SYSTEM_Account Rowland
Marco Gaiarin
2018-Jan-15 15:08 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
Mandi! Rowland Penny via samba In chel di` si favelave...> 'SYSTEM' is a windows account, there is no concept of the 'SYSTEM' > account on Unix, this includes Samba.Again, i'm speaking more about machine account than LocalSYSTEM account...> Please read this: > https://wiki.samba.org/index.php/The_SYSTEM_AccountSeems me perfectly coherent with what i'm saying, on detail: https://wiki.samba.org/index.php/The_SYSTEM_Account#How_the_SYSTEM_Account_Is_Used_by_a_Windows_Service works not only for the SysVOL share, but more generally; simply sysvol is a DC share, and on DC automatic mappings (via xID) happen, so machine account HAVE an UID... Simply, all share accessed by LocalSYSTEM user works like that... but on a DM with rfc2307 there's no automatic mappings, access using DOMAIN\machine$ does not works and anonymous/guest access are tried as fallback. Right? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Kacper Wirski
2018-Jan-15 15:18 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
Hello, I understand the OP, I was asking some time ago similar question, but it was in relation to samba domain member. I couldn't get backend: ad to work for machine accounts, so i switched to idmap: rid and it solved everything. I tried manually adding UID and GID to Domain Computer group and to machine accounts, but it didn't seem to work properly, so I gave up especially that RID was perfectly fine. On samba AD DC idmapping is done automatically, that is if no UID/GID value is present in AD via RFC2307. I've noticed that samba by default assigns UID/GID from 300000 and just increments +1, and by default when setting rfc2307 start form 10000, so within single DC there should be no problem unless you'll somehow manage to reach from 10000 to 300000 users. The issue is keeping it in sync between multiple DC's (I ran into this issue some time ago). It might screw up Sysvol NT ACL if machine account receives different UID. In my case I rarely use specific machine accounts in ACL for GPO's. And if a mix happens I would re-sync idmap.ldb. I hope it helps. W dniu 2018-01-15 o 15:05, Rowland Penny via samba pisze:> On Mon, 15 Jan 2018 14:55:55 +0100 > Marco Gaiarin via samba <samba at lists.samba.org> wrote: > >> Mandi! L.P.H. van Belle via samba >> In chel di` si favelave... >> >>>> It is not the SYSTEM user (that is a local user to the >>>> workstation, so clearly does not exist on the domain). >>> Yes it does. Look at "Builtin\system" which is also "NT >>> Authority\System. >> Ahem, clearly every machine (workstation, server; i suppose also the >> domain) have a SYSTEM account, but they are ''different'': >> MY_SERVER\SYSTEM, MY_DOMAIN\SYSTEM and KAIN\SYSTEM are different >> account, and i think have not to be mapped each other... >> >> >>>> But still windows workstation, when accessing some shares with the >>>> SYSTEM user, try to logon with the machine account. >>> Correct, thats by design, and if you get access denied, you did hit >>> the "winbind" "user SYSTEM" bug(s). Fix, use acl_xattr:ignore >>> system acl = yes for now. >> ?! Reading the manpage: >> >> acl_xattr:ignore system acls = [yes|no] >> When set to yes, a best effort mapping from/to the POSIX >> ACL layer will not be done by this module. The default is no, which >> means that Samba keeps setting and evaluating both the system ACLs >> and the NT ACLs. This is better if you need your system ACLs be set >> for local or NFS file access, too. If you only access the data via >> Samba you might set this to yes to achieve better NT ACL >> compatibility. >> >> seems me unrelated. >> >> What i'm speaking about is that, in Microsoft Server OS (and i suppose >> on Samba too ;) access done by local SYSTEM user to a share, trigger >> access via the respective machine account. >> Some docs corroborate this: >> >> https://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx >> The LocalSystem account is a predefined local account used by >> the service control manager. [...] >> It has extensive privileges on the local computer, and acts as >> the computer on the network. >> >> https://msdn.microsoft.com/en-us/library/ms677973(VS.85).aspx >> When a service runs under the LocalSystem account on a >> computer that is a domain member, the service has whatever network >> access is granted to the computer account, or to any groups of which >> the computer account is a member. >> >> So, on samba, it is not (only) a matter of ACL: machine account have >> to had an UID, to write (or read also...) to a share! >> >> >> Probably i'm missing somethin really ''basic'', but seems obvious to >> me... if i use rfc2307, in a domain member (if i use RID backend, or >> if i'm in a domain controller, some sort of automatic mapping is in >> place...) the only way to have non-anonymous access to shares by >> local workstation SYSTEM account is to add UID to machine account... >> >> >>>> If KAIN$ account have no UID (and 'Domain Computers' have no GID), >>>> clearly share acess fail. >>> No, the computer uses system, but if you test manualy it sets the >>> computername. >> No, sorry i've not understood what you mean... >> > 'SYSTEM' is a windows account, there is no concept of the 'SYSTEM' > account on Unix, this includes Samba. > > Please read this: > > https://wiki.samba.org/index.php/The_SYSTEM_Account > > Rowland >-- Z poważaniem, Kacper Wirski tel. +48 608 421 424 tel: + 48 22 637 50 01 fax: + 48 22 637 50 04 Babka Medica Spółka z ograniczoną odpowiedzialnością Spółka komandytowa ul. Słomińskiego 19 lok.517, 00-195 Warszawa Sąd Rejonowy dla M.St. Warszawy w Warszawie XII Wydział Gospodarczy KRS 0000491764 NIP 525-234-00-28 www.babkamedica.pl <http://www.babkamedica.pl/> ---------------------------------------------------------------------------- Informacja zawarta w niniejszej korespondencji jest poufna. Korespondencja skierowana jest wyłącznie do osoby (firmy) wymienionej wyżej. Rozpowszechnianie, kopiowanie, ujawnianie lub przekazywanie osobom trzecim w jakiejkolwiek formie informacji zawartych w niniejszym dokumencie w całości lub w części jest zakazane bez uprzedniej pisemnej (pod rygorem nieważności) zgody Babka Medica Sp. z o.o. Sp. k.
Rowland Penny
2018-Jan-15 16:16 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On Mon, 15 Jan 2018 16:08:11 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > 'SYSTEM' is a windows account, there is no concept of the 'SYSTEM' > > account on Unix, this includes Samba. > > Again, i'm speaking more about machine account than LocalSYSTEM > account... > > > > Please read this: > > https://wiki.samba.org/index.php/The_SYSTEM_Account > > Seems me perfectly coherent with what i'm saying, on detail: > > https://wiki.samba.org/index.php/The_SYSTEM_Account#How_the_SYSTEM_Account_Is_Used_by_a_Windows_Service > > works not only for the SysVOL share, but more generally; simply sysvol > is a DC share, and on DC automatic mappings (via xID) happen, so > machine account HAVE an UID... > > > Simply, all share accessed by LocalSYSTEM user works like that... but > on a DM with rfc2307 there's no automatic mappings, access using > DOMAIN\machine$ does not works and anonymous/guest access are tried as > fallback. > > Right? >'SYSTEM' != The machine account Rowland
Rowland Penny
2018-Jan-15 16:24 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On Mon, 15 Jan 2018 16:18:57 +0100 Kacper Wirski via samba <samba at lists.samba.org> wrote:> Hello, > I understand the OP, I was asking some time ago similar question, but > it was in relation to samba domain member. I couldn't get backend: ad > to work for machine accounts, so i switched to idmap: rid and it > solved everything. I tried manually adding UID and GID to Domain > Computer group and to machine accounts, but it didn't seem to work > properly, so I gave up especially that RID was perfectly fine. > > On samba AD DC idmapping is done automatically, that is if no UID/GID > value is present in AD via RFC2307. I've noticed that samba by > default assigns UID/GID from 300000 and just increments +1, and by > default when settingThis is only on a DC and these use 'xidNumber' attributes, which start at 3000000> > rfc2307 start form 10000, so within single DC there should be no > problem unless you'll somehow manage to reach from 10000 to 300000 > users.You can start the rfc2307 uidNumber & gidNumber attributes from wherever you like, but ADUC uses 10000. And whatever number you use will not be a problem, mainly because the uidNumber & gidNumber attributes will be used instead of the xidNumber attributes.> > The issue is keeping it in sync between multiple DC's (I ran into > this issue some time ago). It might screw up Sysvol NT ACL if machine > account receives different UID.What ever method you use, you must do it from the start, changing to the winbind 'ad' backend will affect the DC.> > In my case I rarely use specific machine accounts in ACL for GPO's. > And if a mix happens I would re-sync idmap.ldb. >This is what I was trying to point out, you rarely, if ever, need to give computer accounts a uidNumber. Rowland
Marco Gaiarin
2018-Jan-16 08:49 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
Mandi! Kacper Wirski via samba In chel di` si favelave...> I understand the OP, I was asking some time ago similar question, but it was > in relation to samba domain member.Thanks, Kacper.> I couldn't get backend: ad to work for > machine accounts, so i switched to idmap: rid and it solved everything. I > tried manually adding UID and GID to Domain Computer group and to machine > accounts, but it didn't seem to work properly, so I gave up especially that > RID was perfectly fine.Ok. I trust you, but i think i'll do some tests by myself, and eventually report here and, i think, i'll fire up a bug also... because seems really a bug to me... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)