samba - Apr 2018 - idmap_ad overlap with domain and sub-domain overlap

Hello,

We are in process of providing access to a AD connected master domain and
one its subdomains to one of our SAMBA 4.6.2 file-share servers.  The samba
server is a member of the MASTER domain.  The problem is we have cases
where the same person has an account in both the master domain and the sub
domain (long story and we know it is not a good practice but something I am
powerless to change).  The person (see example below for further clarity)
has the same unix attributes set in both the domain and sub-domain.  When
you run testparm it complains of having the range overlap but the config
seems to be working OK.  Is there any reason we should not go forward with
this config or should we push back and make the users in the subdomain have
the different uid and gid numbers from the master domain?  The benefit of
having the same uid and gid is we don't have to worry about changing file
ownership if a user moves between domains.

Example:

MASTER\user : uidNumber = 10000 : gidNumber = 10000
SUB\user : uidNumber = 10000 : gidNumber = 10000

SMB Config:

# Global parameters
[global]
        realm = MASTER.TEST.COM
        server string = Samba Server
        workgroup = MASTER
        log file = /var/log/samba/log.%I
        disable spoolss = Yes
        load printers = No
        printcap name = /dev/null
        client min protocol = SMB2_02
        server min protocol = SMB2_02
        unix extensions = No
        kerberos method = secrets and keytab
        security = ADS
        server signing = if_required
        template homedir = /home/%U
        template shell = /bin/bash
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        winbind separator = +
        winbind use default domain = Yes
        idmap config MASTER:schema_mode = rfc2307
        idmap config MASTER:range = 9000-5000000000
        idmap config MASTER:default = yes
        idmap config MASTER:backend = ad
        idmap config SUB:schema_mode = rfc2307
        idmap config SUB:range = 9000-5000000000
        idmap config SUB:backend = ad
        idmap config * : backend = tdb
        idmap config *:range = 3000-8999

Thanks in advance!

Nate

On Wed, 18 Apr 2018 10:02:53 -0400
Wvu Hpc via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> We are in process of providing access to a AD connected master domain
> and one its subdomains to one of our SAMBA 4.6.2 file-share servers.
> The samba server is a member of the MASTER domain.  The problem is we
> have cases where the same person has an account in both the master
> domain and the sub domain (long story and we know it is not a good
> practice but something I am powerless to change).  The person (see
> example below for further clarity) has the same unix attributes set
> in both the domain and sub-domain.  When you run testparm it
> complains of having the range overlap but the config seems to be
> working OK.  Is there any reason we should not go forward with this
> config or should we push back and make the users in the subdomain
> have the different uid and gid numbers from the master domain?  The
> benefit of having the same uid and gid is we don't have to worry
> about changing file ownership if a user moves between domains.
> 
> Example:
> 
> MASTER\user : uidNumber = 10000 : gidNumber = 10000
> SUB\user : uidNumber = 10000 : gidNumber = 10000
> 
> SMB Config:
> 
> # Global parameters
> [global]
>         workgroup = MASTER
>         winbind use default domain = Yes
>         idmap config MASTER:schema_mode = rfc2307
>         idmap config MASTER:range = 9000-5000000000
>         idmap config MASTER:default = yes
>         idmap config MASTER:backend = ad
>         idmap config SUB:schema_mode = rfc2307
>         idmap config SUB:range = 9000-5000000000
>         idmap config SUB:backend = ad
>         idmap config * : backend = tdb
>         idmap config *:range = 3000-8999
> 
Firstly, you cannot use 'winbind use default domain = Yes' if you have
more than one domain in smb.conf.
Secondly, as you already know, you cannot the same range for both
domains. Yes I know that some of the users have the same uidNumber in
both domains, but what about the ones that don't ?

I would remove the 'winbind use default domain' line and then use the
'rid' backend for the 'SUB' domain with a different range:

        idmap config SUB:range = 5000000001-10000000000
        idmap config SUB:backend = rid

This will probably entail changing the ownership of files and dirs

You say you have no control of the domains, but I would be having
words with whoever does have control, mentioning words like 'stupid'
and 'idiot' ;-)

Rowland

Hi Rowland,

Thanks for the help and ideally I would like to get rid of the sub domain
all together but that is probably not going to happen.

So couple comments and please forgive any of my ignorance.

For your second question, all users in the subdomain who have access to the
SAMBA server do have uidNumber set and it matches the uidNumber set in
MASTER.  Since this is the case, would the overlapping ranges be OK?  I saw
this post (
https://lists.samba.org/archive/samba-technical/2016-December/117567.html)
and thought it might indicate it is OK but was not sure?

For 'winbind use default domain = Yes' I thought this would assume the
default domain for ssh logins as being the master since I have "idmap
config MASTER:default = yes".  Appears to work as it allows users to login
without having to specify a domain.  Although, if a user from the SUB
domain logs in they must specify the SUB\user to login.  Is that
incorrect?  If I remove use default = yes, users of MASTER must also
specify their domain during login ... at least that is how it seemed during
testing?

Thanks again!



On Wed, Apr 18, 2018 at 10:38 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 18 Apr 2018 10:02:53 -0400
> Wvu Hpc via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > We are in process of providing access to a AD connected master domain
> > and one its subdomains to one of our SAMBA 4.6.2 file-share servers.
> > The samba server is a member of the MASTER domain.  The problem is we
> > have cases where the same person has an account in both the master
> > domain and the sub domain (long story and we know it is not a good
> > practice but something I am powerless to change).  The person (see
> > example below for further clarity) has the same unix attributes set
> > in both the domain and sub-domain.  When you run testparm it
> > complains of having the range overlap but the config seems to be
> > working OK.  Is there any reason we should not go forward with this
> > config or should we push back and make the users in the subdomain
> > have the different uid and gid numbers from the master domain?  The
> > benefit of having the same uid and gid is we don't have to worry
> > about changing file ownership if a user moves between domains.
> >
> > Example:
> >
> > MASTER\user : uidNumber = 10000 : gidNumber = 10000
> > SUB\user : uidNumber = 10000 : gidNumber = 10000
> >
> > SMB Config:
> >
> > # Global parameters
> > [global]
> >         workgroup = MASTER
>
> >         winbind use default domain = Yes
> >         idmap config MASTER:schema_mode = rfc2307
> >         idmap config MASTER:range = 9000-5000000000
> >         idmap config MASTER:default = yes
> >         idmap config MASTER:backend = ad
> >         idmap config SUB:schema_mode = rfc2307
> >         idmap config SUB:range = 9000-5000000000
> >         idmap config SUB:backend = ad
> >         idmap config * : backend = tdb
> >         idmap config *:range = 3000-8999
> >
>
> Firstly, you cannot use 'winbind use default domain = Yes' if you
have
> more than one domain in smb.conf.
> Secondly, as you already know, you cannot the same range for both
> domains. Yes I know that some of the users have the same uidNumber in
> both domains, but what about the ones that don't ?
>
> I would remove the 'winbind use default domain' line and then use
the
> 'rid' backend for the 'SUB' domain with a different range:
>
>         idmap config SUB:range = 5000000001-10000000000
>         idmap config SUB:backend = rid
>
> This will probably entail changing the ownership of files and dirs
>
> You say you have no control of the domains, but I would be having
> words with whoever does have control, mentioning words like
'stupid'
> and 'idiot' ;-)
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>