samba - Jan 2018 - Avoiding uid conflicts between rfc2307 user/groups and computers

On Mon, 15 Jan 2018 16:18:57 +0100
Kacper Wirski via samba <samba at lists.samba.org> wrote:
> Hello,
> I understand the OP, I was asking some time ago similar question, but
> it was in relation to samba domain member. I couldn't get backend: ad
> to work for machine accounts, so i switched to idmap: rid and it
> solved everything. I tried manually adding UID and GID to Domain
> Computer group and to machine accounts, but it didn't seem to work
> properly, so I gave up especially that RID was perfectly fine.
> 
> On samba AD DC idmapping is done automatically, that is if no UID/GID 
> value is present in AD via RFC2307. I've noticed that samba by
> default assigns UID/GID from 300000 and just increments +1, and by
> default when setting
This is only on a DC and these use 'xidNumber' attributes, which start
at 3000000
> 
> rfc2307 start form 10000, so within single DC there should be no
> problem unless you'll somehow manage to reach from 10000 to 300000
> users.
You can start the rfc2307 uidNumber & gidNumber attributes from
wherever you like, but ADUC uses 10000. And whatever number you use
will not be a problem, mainly because the uidNumber & gidNumber
attributes will be used instead of the xidNumber attributes.
  
> 
> The issue is keeping it in sync between multiple DC's (I ran into
> this issue some time ago). It might screw up Sysvol NT ACL if machine
> account receives different UID.
What ever method you use, you must do it from the start, changing to
the winbind 'ad' backend will affect the DC.
> 
> In my case I rarely use specific machine accounts in ACL for GPO's.
> And if a mix happens I would re-sync idmap.ldb.
> 
This is what I was trying to point out, you rarely, if ever, need to
give computer accounts a uidNumber.

Rowland

On Mon, Jan 15, 2018 at 04:24:44PM +0000, Rowland Penny via samba
wrote:
> This is what I was trying to point out, you rarely, if ever, need to
> give computer accounts a uidNumber.
as pointed out by Bjrön, iirc the Windows client as a domain member will open
SMB connections to the DC and authenticate with the machine account. Afaict this
does require a uid for the machine account.

-slow

-- 
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/

Thank again for your help !

2018-01-12 21:26 GMT+01:00 Rowland Penny <rpenny at
samba.org>:
> The problem is, you are thinking in the wrong direction ;-)
> If you give a user a uidNumber, or a group a gidNumber, these will be
> used instead of the xidNumbers found in idmap.ldb, you do not need to
> alter idmap.ldb at all.
> The way ADUC works, is by using a couple of attributes, that, by default
> Samba AD doesn't have. These are 'msSFU30MaxUidNumber' &
> 'msSFU30MaxGidNumber' and they hold the next uidNumber &
gidNumber.
> They should be in:
> dn:
>
CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
>
> Where 'samdom' is your lowercase workgroup and
> 'DC=samdom,DC=example,DC=com' is your realm/dns domain.
>
> If you can write scripts, I am sure you can figure out how to use
> them ;-)
> If not, contact me off list and I will provide a sample.
On my SAM database I have an CN=samdom,CN=ypservers entry :

# ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
# record 1
dn:
CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
objectClass: top
objectClass: msSFU30DomainInfo
cn: fichnet
instanceType: 4
whenCreated: 20150630144502.0Z
whenChanged: 20150630144502.0Z
uSNCreated: 3768
uSNChanged: 3768
showInAdvancedViewOnly: TRUE
name: fichnet
objectGUID: e1b63980-512f-451b-a2d7-c4abdbb03a3c
objectCategory: CN=msSFU-30-Domain-Info,CN=Schema,CN=Configuration,DC=net,DC=l
 yc-guillaume-fichet,DC=ac-grenoble,DC=fr
msSFU30MasterServerName: FICHDC
msSFU30OrderNumber: 10000
msSFU30Domains: fichnet
distinguishedName: CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=Syste
 m,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr

But there is no msSFU30MaxUidNumber and msSFU30MaxGidNumber values.

Do you know if this current entry was created by samba or by some
Windows administration tools ?
Do you know if I need to add a class to add the msSFU30MaxUidNumber
and msSFU30MaxGidNumber values ?
(I don't know how to read schema specification directly inside the database)

2018-01-15 16:18 GMT+01:00 Kacper Wirski via samba <samba at
lists.samba.org>:
> Hello,
> I understand the OP, I was asking some time ago similar question, but it
was
> in relation to samba domain member. I couldn't get backend: ad to work
for
> machine accounts, so i switched to idmap: rid and it solved everything. I
> tried manually adding UID and GID to Domain Computer group and to machine
> accounts, but it didn't seem to work properly, so I gave up especially
that
> RID was perfectly fine.
Thanks, but I also use the others rfc2307 attributes. Not only
uidNumber and gidNumber. So I need to keep all the rfc2307 values
updated and I can't switch to RID. Moreover, the file system is also
exported by NFSv4 so I need consistant ID on all the
databases/filesystems.

On my Linux clients I use a special script to join the computer to the
domain. So there is no problem setting the host parameters in AD
database. But from Windows client I have no control.

Thank again !