Marco Gaiarin
2018-Jan-16 08:49 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
Mandi! Kacper Wirski via samba In chel di` si favelave...> I understand the OP, I was asking some time ago similar question, but it was > in relation to samba domain member.Thanks, Kacper.> I couldn't get backend: ad to work for > machine accounts, so i switched to idmap: rid and it solved everything. I > tried manually adding UID and GID to Domain Computer group and to machine > accounts, but it didn't seem to work properly, so I gave up especially that > RID was perfectly fine.Ok. I trust you, but i think i'll do some tests by myself, and eventually report here and, i think, i'll fire up a bug also... because seems really a bug to me... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' lanostrafamiglia.it Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Prunk Dump
2018-Jan-17 05:55 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
2018-01-15 20:14 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:> On Mon, 15 Jan 2018 19:51:12 +0100 > Prunk Dump via samba <samba at lists.samba.org> wrote: > >> Thank again for your help ! >> >> 2018-01-12 21:26 GMT+01:00 Rowland Penny <rpenny at samba.org>: >> > The problem is, you are thinking in the wrong direction ;-) >> > If you give a user a uidNumber, or a group a gidNumber, these will >> > be used instead of the xidNumbers found in idmap.ldb, you do not >> > need to alter idmap.ldb at all. >> > The way ADUC works, is by using a couple of attributes, that, by >> > default Samba AD doesn't have. These are 'msSFU30MaxUidNumber' & >> > 'msSFU30MaxGidNumber' and they hold the next uidNumber & gidNumber. >> > They should be in: >> > dn: >> > CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com >> > >> > Where 'samdom' is your lowercase workgroup and >> > 'DC=samdom,DC=example,DC=com' is your realm/dns domain. >> > >> > If you can write scripts, I am sure you can figure out how to use >> > them ;-) >> > If not, contact me off list and I will provide a sample. >> >> On my SAM database I have an CN=samdom,CN=ypservers entry : >> >> # ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b >> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr >> # record 1 >> dn: >> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr >> objectClass: top objectClass: msSFU30DomainInfo >> cn: fichnet >> instanceType: 4 >> whenCreated: 20150630144502.0Z >> whenChanged: 20150630144502.0Z >> uSNCreated: 3768 >> uSNChanged: 3768 >> showInAdvancedViewOnly: TRUE >> name: fichnet >> objectGUID: e1b63980-512f-451b-a2d7-c4abdbb03a3c >> objectCategory: >> CN=msSFU-30-Domain-Info,CN=Schema,CN=Configuration,DC=net,DC=l >> yc-guillaume-fichet,DC=ac-grenoble,DC=fr msSFU30MasterServerName: >> FICHDC msSFU30OrderNumber: 10000 >> msSFU30Domains: fichnet >> distinguishedName: >> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=Syste >> m,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr >> >> But there is no msSFU30MaxUidNumber and msSFU30MaxGidNumber values. > > No there isn't, Samba doesn't add them, it adds everything else, just > not those two attributes. You need to add something like this: > > msSFU30MaxUidNumber: 10000 > msSFU30MaxGidNumber: 10000 > > Note, you will need to find the highest uidNumber and gidNumber, add 1 > to it and replace '10000' with these numbers. > >> >> Do you know if this current entry was created by samba or by some >> Windows administration tools ? > > Samba > >> Do you know if I need to add a class to add the msSFU30MaxUidNumber >> and msSFU30MaxGidNumber values ? > > No you don't need add any other objectclasses > >> (I don't know how to read schema specification directly inside the >> database) >> >> 2018-01-15 16:18 GMT+01:00 Kacper Wirski via samba >> <samba at lists.samba.org>: >> > Hello, >> > I understand the OP, I was asking some time ago similar question, >> > but it was in relation to samba domain member. I couldn't get >> > backend: ad to work for machine accounts, so i switched to idmap: >> > rid and it solved everything. I tried manually adding UID and GID >> > to Domain Computer group and to machine accounts, but it didn't >> > seem to work properly, so I gave up especially that RID was >> > perfectly fine. >> >> Thanks, but I also use the others rfc2307 attributes. Not only >> uidNumber and gidNumber. So I need to keep all the rfc2307 values >> updated and I can't switch to RID. Moreover, the file system is also >> exported by NFSv4 so I need consistant ID on all the >> databases/filesystems. > > You can add the required attributes with ldapmodify or ldbmodify, as I > said, I can supply sample scripts to show the basics. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/sambaThanks ! Your solution worked like a charm ! There is also another benefit, I have now three distinct ranges for my IDs : -> 3000000 - 3999999 for the xidNumbers ( when no rfc2307 id ) -> 4000000 - 4999999 for the user rfc2307 uidNumber -> 5000000 - 5999999 for the group rfc2307 gidNumber If someone is interested, here a part of the script I have used : ############################### # get user rfc2307 attributes # ############################### # get the new uid # userUid=$(ldbsearch -H $samDatabase -s base -b CN=$shortDomain,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$baseDN msSFU30MaxUidNumber | grep 'msSFU30MaxUidNumber:') if [ -z "$userUid" ]; then userUid="$baseUid" else userUid=$(echo $userUid | sed 's/^msSFU30MaxUidNumber: \(.*\)/\1/') fi # get the gid # strgid=$(wbinfo --group-info="$pgroupName") userGid=$(echo $strgid | cut -d ":" -f 3) # create the user # samba-tool user create $userName --userou=$userDN --random-password \ --profile-path="\\\\$accountServerDns$winProfilePath\\$pgroupNameR\\$userName" \ --home-directory="\\\\$accountServerDns$winHomePath$winHomeDir\\$pgroupNameR\\$userName" \ --home-drive="$homeDrive" \ --unix-home="/home$unixHomeDir/$pgroupNameR/$userName" \ --uid-number="$userUid" \ --gid-number="$userGid" \ --login-shell="/bin/bash" set passwd # if [ -z "$userPasswd" ]; then # --must-change-at-next-login can cause problem with roaming profiles samba-tool user setpassword $userName --newpassword=$userName else samba-tool user setpassword $userName --newpassword=$userPasswd fi samba-tool user setexpiry --noexpiry $userName ############ # next uid # ############ nextUid=$((userUid+1)) echo "dn: CN=$shortDomain,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$baseDN changetype: modify replace: msSFU30MaxUidNumber msSFU30MaxUidNumber: $nextUid" > /tmp/$userName ldbmodify --url=$samDatabase -b $baseDN /tmp/$userName rm /tmp/$userName Thank you very much ! Baptiste.
Rowland Penny
2018-Jan-17 09:46 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On Wed, 17 Jan 2018 06:55:07 +0100 Prunk Dump via samba <samba at lists.samba.org> wrote:> 2018-01-15 20:14 GMT+01:00 Rowland Penny via samba > <samba at lists.samba.org>: > > On Mon, 15 Jan 2018 19:51:12 +0100 > > Prunk Dump via samba <samba at lists.samba.org> wrote: > > > >> Thank again for your help ! > >> > >> 2018-01-12 21:26 GMT+01:00 Rowland Penny <rpenny at samba.org>: > >> > The problem is, you are thinking in the wrong direction ;-) > >> > If you give a user a uidNumber, or a group a gidNumber, these > >> > will be used instead of the xidNumbers found in idmap.ldb, you > >> > do not need to alter idmap.ldb at all. > >> > The way ADUC works, is by using a couple of attributes, that, by > >> > default Samba AD doesn't have. These are 'msSFU30MaxUidNumber' & > >> > 'msSFU30MaxGidNumber' and they hold the next uidNumber & > >> > gidNumber. They should be in: > >> > dn: > >> > CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com > >> > > >> > Where 'samdom' is your lowercase workgroup and > >> > 'DC=samdom,DC=example,DC=com' is your realm/dns domain. > >> > > >> > If you can write scripts, I am sure you can figure out how to use > >> > them ;-) > >> > If not, contact me off list and I will provide a sample. > >> > >> On my SAM database I have an CN=samdom,CN=ypservers entry : > >> > >> # ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b > >> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > >> # record 1 > >> dn: > >> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > >> objectClass: top objectClass: msSFU30DomainInfo > >> cn: fichnet > >> instanceType: 4 > >> whenCreated: 20150630144502.0Z > >> whenChanged: 20150630144502.0Z > >> uSNCreated: 3768 > >> uSNChanged: 3768 > >> showInAdvancedViewOnly: TRUE > >> name: fichnet > >> objectGUID: e1b63980-512f-451b-a2d7-c4abdbb03a3c > >> objectCategory: > >> CN=msSFU-30-Domain-Info,CN=Schema,CN=Configuration,DC=net,DC=l > >> yc-guillaume-fichet,DC=ac-grenoble,DC=fr msSFU30MasterServerName: > >> FICHDC msSFU30OrderNumber: 10000 > >> msSFU30Domains: fichnet > >> distinguishedName: > >> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=Syste > >> m,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr > >> > >> But there is no msSFU30MaxUidNumber and msSFU30MaxGidNumber values. > > > > No there isn't, Samba doesn't add them, it adds everything else, > > just not those two attributes. You need to add something like this: > > > > msSFU30MaxUidNumber: 10000 > > msSFU30MaxGidNumber: 10000 > > > > Note, you will need to find the highest uidNumber and gidNumber, > > add 1 to it and replace '10000' with these numbers. > > > >> > >> Do you know if this current entry was created by samba or by some > >> Windows administration tools ? > > > > Samba > > > >> Do you know if I need to add a class to add the msSFU30MaxUidNumber > >> and msSFU30MaxGidNumber values ? > > > > No you don't need add any other objectclasses > > > >> (I don't know how to read schema specification directly inside the > >> database) > >> > >> 2018-01-15 16:18 GMT+01:00 Kacper Wirski via samba > >> <samba at lists.samba.org>: > >> > Hello, > >> > I understand the OP, I was asking some time ago similar question, > >> > but it was in relation to samba domain member. I couldn't get > >> > backend: ad to work for machine accounts, so i switched to idmap: > >> > rid and it solved everything. I tried manually adding UID and GID > >> > to Domain Computer group and to machine accounts, but it didn't > >> > seem to work properly, so I gave up especially that RID was > >> > perfectly fine. > >> > >> Thanks, but I also use the others rfc2307 attributes. Not only > >> uidNumber and gidNumber. So I need to keep all the rfc2307 values > >> updated and I can't switch to RID. Moreover, the file system is > >> also exported by NFSv4 so I need consistant ID on all the > >> databases/filesystems. > > > > You can add the required attributes with ldapmodify or ldbmodify, > > as I said, I can supply sample scripts to show the basics. > > > > Rowland > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: lists.samba.org/mailman/options/samba > > > Thanks ! > > Your solution worked like a charm ! There is also another benefit, I > have now three distinct ranges for my IDs : > > -> 3000000 - 3999999 for the xidNumbers ( when no rfc2307 id ) > -> 4000000 - 4999999 for the user rfc2307 uidNumber > -> 5000000 - 5999999 for the group rfc2307 gidNumber > > If someone is interested, here a part of the script I have used : > > ############################### > # get user rfc2307 attributes # > ############################### > > # get the new uid # > userUid=$(ldbsearch -H $samDatabase -s base -b > CN=$shortDomain,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$baseDN > msSFU30MaxUidNumber | grep 'msSFU30MaxUidNumber:') > if [ -z "$userUid" ]; then > userUid="$baseUid" > else > userUid=$(echo $userUid | sed 's/^msSFU30MaxUidNumber: \(.*\)/\1/') > fi > > # get the gid # > strgid=$(wbinfo --group-info="$pgroupName") > userGid=$(echo $strgid | cut -d ":" -f 3) > > > # create the user # > samba-tool user create $userName --userou=$userDN --random-password \ > --profile-path="\\\\$accountServerDns$winProfilePath\\$pgroupNameR\\$userName" > \ > --home-directory="\\\\$accountServerDns$winHomePath$winHomeDir\\$pgroupNameR\\$userName" > \ --home-drive="$homeDrive" \ > --unix-home="/home$unixHomeDir/$pgroupNameR/$userName" \ > --uid-number="$userUid" \ > --gid-number="$userGid" \ > --login-shell="/bin/bash" > > set passwd # > if [ -z "$userPasswd" ]; then > # --must-change-at-next-login can cause problem with roaming profiles > samba-tool user setpassword $userName --newpassword=$userName > else > samba-tool user setpassword $userName --newpassword=$userPasswd > fi > samba-tool user setexpiry --noexpiry $userName > > > ############ > # next uid # > ############ > nextUid=$((userUid+1)) > > echo "dn: > CN=$shortDomain,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$baseDN > changetype: modify replace: msSFU30MaxUidNumber > msSFU30MaxUidNumber: $nextUid" > /tmp/$userName > > ldbmodify --url=$samDatabase -b $baseDN /tmp/$userName > rm /tmp/$userName > > > Thank you very much ! > > Baptiste. >The only thing I would add is, you do not need to use different ranges for users & groups. A user with the Unix UID '10000' will never be mistaken for a group with the Unix GID '10000' Rowland
Marco Gaiarin
2018-Jan-24 11:17 UTC
[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
Ok, i've got some tome to do some tests.> > I couldn't get backend: ad to work for > > machine accounts, so i switched to idmap: rid and it solved everything. I > > tried manually adding UID and GID to Domain Computer group and to machine > > accounts, but it didn't seem to work properly, so I gave up especially that > > RID was perfectly fine. > Ok. I trust you, but i think i'll do some tests by myself, and > eventually report here and, i think, i'll fire up a bug also... because > seems really a bug to me...Samba 4.5, AD backend, GID assigned to 'Domain Computers' and UID assigned to a test machine account (windows 7 pro woks named 'kain'). I'm configuring WPKG, that run in SYSTEM context, and simply looking at smbstatus: root at vdmsv1:/srv/samba/wpkg# smbstatus Samba version 4.5.12-Debian PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 9859 gaio domain users 10.5.1.34 (ipv4:10.5.1.34:64747) SMB2_10 - - 9946 gaio domain users 10.5.1.34 (ipv4:10.5.1.34:51900) SMB2_10 - - 9894 gaio domain users 10.5.1.34 (ipv4:10.5.1.34:64768) SMB2_10 - - 9945 gaio domain users 10.5.1.34 (ipv4:10.5.1.34:51899) SMB2_10 - - 9947 kain$ domain computers 10.5.1.34 (ipv4:10.5.1.34:51901) SMB2_10 - - Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- users 9859 10.5.1.34 mer gen 24 11:58:32 2018 CET - - Work 9894 10.5.1.34 mer gen 24 11:58:37 2018 CET - - wpkg 9945 10.5.1.34 mer gen 24 12:09:55 2018 CET - - wpkg 9947 10.5.1.34 mer gen 24 12:09:56 2018 CET - - wpkg 9946 10.5.1.34 mer gen 24 12:09:55 2018 CET - - Locked files: Pid Uid DenyMode Access R/W Oplock SharePath Name Time -------------------------------------------------------------------------------------------------- 9947 11508 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /srv/samba/wpkg packages/sqlite.xml Wed Jan 24 12:09:58 2018 9947 11508 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /srv/samba/wpkg packages/odfaddin.xml Wed Jan 24 12:09:58 2018 9947 11508 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /srv/samba/wpkg packages.xml Wed Jan 24 12:09:58 2018 9947 11508 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /srv/samba/wpkg packages/jclic.xml Wed Jan 24 12:09:58 2018 9947 11508 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /srv/samba/wpkg packages/wviola.xml Wed Jan 24 12:09:58 2018 9947 11508 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /srv/samba/wpkg packages/workrave.xml Wed Jan 24 12:09:58 2018 9947 11508 DENY_WRITE 0x120089 RDONLY LEASE(RWH) /srv/samba/wpkg packages/kb979682.xml Wed Jan 24 12:09:58 2018 [...] Eg, i've accessed the share with user 'kain$'. There's something more that i can test, or there's something that can have fooled me? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' lanostrafamiglia.it Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Apparently Analagous Threads
- Avoiding uid conflicts between rfc2307 user/groups and computers
- Scripting the next UID/GID number to use
- Avoiding uid conflicts between rfc2307 user/groups and computers
- DRS stopped working after upgrade from debian Jessie to Stretch
- Scripting the next UID/GID number to use