samba - Feb 2018 - idmap config ad: can't resolve domain users' uids

Il 16/02/18 13:43, Rowland Penny via samba ha scritto:
> On Fri, 16 Feb 2018 13:10:16 +0100
> Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> 
>>
>> So just to recap: there were two problems:
>>
>> 1) the syntax mistake in smb.conf pointed up before;
> 
> This wouldn't have helped.
> 
>> 2) a logical mistake because wbinfo can't possibily work without
the
>> full setup that includes the nss part.
> 
> No, wbinfo will work without the libnss_winbind links, but the OS will
> not know who the AD users & groups are without the links.
Rowland, you are helping me a lot.

Let me make a step backwards.

The problem is bugging me is to allow Domain Users to access samba
shares (on a linux os) and to create file with the same uidNumber I have
put in the AD directory.

Domanin Users have been exported from a samba3-ldap domain.

In a samba3-ldap domain the trick to have files with the same ownership
[1] was to record the uidNumber data in the OpenLDAP.

How does it work in samba4? I started with
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and then I
have been populating the users' uidNumber ad attribute and the groups'
gidNumber.

So I was wrong starting talking about sssd, nss and so on. Those tools
are required to allow Domain Users to access linux server (ssh for
instance). I am more interested to deploy windows share on a samba4
server (a AD DC, actually) and to see users create file with the
familiar uidNumber and not the exotic number taken from the idmap.ldb

thank you,

Francesco


[1] means the same user, both as a linux user or as a Domain User,
create files with same uidNumber.

On Fri, 16 Feb 2018 14:26:57 +0100
Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> Il 16/02/18 13:43, Rowland Penny via samba ha scritto:
> > On Fri, 16 Feb 2018 13:10:16 +0100
> > Francesco Malvezzi via samba <samba at lists.samba.org> wrote:
> > 
> >>
> >> So just to recap: there were two problems:
> >>
> >> 1) the syntax mistake in smb.conf pointed up before;
> > 
> > This wouldn't have helped.
> > 
> >> 2) a logical mistake because wbinfo can't possibily work
without
> >> the full setup that includes the nss part.
> > 
> > No, wbinfo will work without the libnss_winbind links, but the OS
> > will not know who the AD users & groups are without the links.
> 
> Rowland, you are helping me a lot.
> 
> Let me make a step backwards.
> 
> The problem is bugging me is to allow Domain Users to access samba
> shares (on a linux os) and to create file with the same uidNumber I
> have put in the AD directory.
> 
> Domanin Users have been exported from a samba3-ldap domain.
> 
> In a samba3-ldap domain the trick to have files with the same
> ownership [1] was to record the uidNumber data in the OpenLDAP.
> 
> How does it work in samba4? I started with
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and then I
> have been populating the users' uidNumber ad attribute and the
groups'
> gidNumber.
Lets see if I can explain it for you ;-)

If you use a DC as a fileserver (by the way, lots of people do not
recommend doing this), by default users & groups are assigned
xidNumber attributes in the '3000000' range. These 'xidNumbers'
are
stored in 'idmap.ldb'
You can override these 'xidNumber' attributes by giving your users a
unique 'uidNumber' and groups a 'gidNumber'.

If you want the OS to know who the users and groups are, you will need
something to extract the data from either 'idmap.ldb' or AD, Samba
uses the libnss_winbind links, other methods are available.

See here for how to set up the links:

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

And here:

https://wiki.samba.org/index.php/Libnss_winbind_Links

Rowland

> 
> Lets see if I can explain it for you ;-)
good!
> 
> If you use a DC as a fileserver (by the way, lots of people do not
> recommend doing this), 
true. I understand.
>by default users & groups are assigned
> xidNumber attributes in the '3000000' range. These
'xidNumbers' are
> stored in 'idmap.ldb'
got the point: id mapping works different on a AD DC and on a Member server.
> You can override these 'xidNumber' attributes by giving your users
a
> unique 'uidNumber' and groups a 'gidNumber'.
I tried to to that, but as I did, it has not been working:

addc:/opt/samba# ./bin/ldbsearch -H ./private/sam.ldb 'cn=bacedifo'
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
# record 1
dn: CN=bacedifo,OU=people,DC=example,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: bacedifo
sn: BACEDIFO
ou: Dipendenti
ou: people
description: Francesco BACEDIFO
givenName: Francesco
instanceType: 4
whenCreated: 20160826181053.0Z
displayName: Francesco BACEDIFO
uSNCreated: 55083
name: bacedifo
objectGUID: e92344b9-eb05-4e4a-8b7d-fc12773e1e0a
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-3239498231-402109693-3067992304-52143
sAMAccountName: bacedifo
sAMAccountType: 805306368
userPrincipalName: bacedifo at example.org
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=org
mail: francesco.bacedifo at example.org
userAccountControl: 512
memberOf: CN=si_admins,OU=examplegroups,DC=example,DC=org
accountExpires: 131651439820000000
pwdLastSet: 131625519833323360
lastLogonTimestamp: 131625621192353740
uidNumber: 41312
loginShell: /bin/mosh
gidNumber: 41312
unixHomeDirectory: /homel/bacedifo
homeDirectory: \\homesrv2.dmz-int.unimo.it\bacedifo
whenChanged: 20180214130711.0Z
uSNChanged: 811421
lastLogon: 131632577629398150
logonCount: 330
distinguishedName: CN=bacedifo,OU=people,DC=example,DC=org

> 
> If you want the OS to know who the users and groups are, you will need
> something to extract the data from either 'idmap.ldb' or AD, Samba
> uses the libnss_winbind links, other methods are available.
thank you (actually I should bow in front of you),

Francesco