samba - Jul 2018 - Tracing the consequences of overlapped id mappings

Hi,

I'm trying to find out consequences of overlapped idmap settings that 
used with 4.3.11 DC's. I'm about to upgrade these DC's to 4.8
version.
Before deploying new DCs, I want to make sure that any side effects 
regarding id map settings will be left behind.

# ldbsearch -H /var/lib/samba/private/idmap.ldb | grep xidNumber \
| cut -d' ' -f2 | sort

0
100
3000000
3000001
3000002
3000003
3000004
3000005
3000006
3000007
3000008
3000009
3000010
3000011
.
.
3000180
3000181
3000182
3000183
3000184
3000185
3000186
3000187
3000188
65534

So, xidNumber values starting at 3000000 except 0,100,65534 which are 
expected values for Administrator, Users group and nobody. Since all 
other ID's are in regular pace (and no duplicates), can we conclude that 
DCs didn't respect idmap range settings at all? So I can continue to use 
same idmap.ldb file after discarding all idmap config settings without 
any worry?

# cat /etc/samba/smb.conf
[global]
     workgroup = TESTDOMAIN
     realm = TESTDOMAIN.LOCAL.TLD
     netbios name = DC1
     server role = active directory domain controller
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
     tls enabled = yes
     tls keyfile = tls/key.pem
     tls certfile = tls/cert.pem
     tls cafile = tls/ca.pem

     idmap_ldb:use rfc2307 = yes
     idmap config *:backend = tdb
     idmap config *:range = 10000-99999
     idmap config TESTDOMAIN : backend = ad
     idmap config TESTDOMAIN : range = 10000-99999
     idmap config TESTDOMAIN : schema_mode = rfc2307
     winbind enum users = yes
     winbind enum groups = yes
     winbind use default domain = yes
     winbind nested groups = yes
     winbind nss info = rfc2307
     winbind refresh tickets = yes
     winbind offline logon = true
     template homedir = /home/%D/%U
     template shell = /bin/false
     ntlm auth = yes
     client use spnego = yes
     client ntlmv2 auth = yes
     encrypt passwords = yes
     restrict anonymous = 2
     log file = /var/log/samba/samba.log
     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes

[netlogon]
      path = /var/lib/samba/sysvol/testdomain.local.tld/scripts
      read only = No

[sysvol]
      path = /var/lib/samba/sysvol
      read only = No

Thanks.

On Tue, 24 Jul 2018 17:43:44 +0300
Taner Tas via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I'm trying to find out consequences of overlapped idmap settings that 
> used with 4.3.11 DC's. I'm about to upgrade these DC's to 4.8
> version. Before deploying new DCs, I want to make sure that any side
> effects regarding id map settings will be left behind.
> 
> # ldbsearch -H /var/lib/samba/private/idmap.ldb | grep xidNumber \
> | cut -d' ' -f2 | sort
> 
> 0
> 100
> 3000000
> 3000001
> 3000002
> 3000003
> 3000004
> 3000005
> 3000006
> 3000007
> 3000008
> 3000009
> 3000010
> 3000011
> .
> .
> 3000180
> 3000181
> 3000182
> 3000183
> 3000184
> 3000185
> 3000186
> 3000187
> 3000188
> 65534
> 
> So, xidNumber values starting at 3000000 except 0,100,65534 which are 
> expected values for Administrator, Users group and nobody. Since all 
> other ID's are in regular pace (and no duplicates), can we conclude
> that DCs didn't respect idmap range settings at all? So I can
> continue to use same idmap.ldb file after discarding all idmap config
> settings without any worry?
> 
> # cat /etc/samba/smb.conf
> [global]
>      workgroup = TESTDOMAIN
>      realm = TESTDOMAIN.LOCAL.TLD
>      netbios name = DC1
>      server role = active directory domain controller
>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>      tls enabled = yes
>      tls keyfile = tls/key.pem
>      tls certfile = tls/cert.pem
>      tls cafile = tls/ca.pem
> 
>      idmap_ldb:use rfc2307 = yes
>      idmap config *:backend = tdb
>      idmap config *:range = 10000-99999
>      idmap config TESTDOMAIN : backend = ad
>      idmap config TESTDOMAIN : range = 10000-99999
>      idmap config TESTDOMAIN : schema_mode = rfc2307
>      winbind enum users = yes
>      winbind enum groups = yes
>      winbind use default domain = yes
>      winbind nested groups = yes
>      winbind nss info = rfc2307
>      winbind refresh tickets = yes
>      winbind offline logon = true
>      template homedir = /home/%D/%U
>      template shell = /bin/false
>      ntlm auth = yes
>      client use spnego = yes
>      client ntlmv2 auth = yes
>      encrypt passwords = yes
>      restrict anonymous = 2
>      log file = /var/log/samba/samba.log
>      vfs objects = acl_xattr
>      map acl inherit = yes
>      store dos attributes = yes
> 
> [netlogon]
>       path = /var/lib/samba/sysvol/testdomain.local.tld/scripts
>       read only = No
> 
> [sysvol]
>       path = /var/lib/samba/sysvol
>       read only = No
> 
> Thanks.
> 
You are making the same mistake that lots of people make, you are
confusing a DC smb.conf with a Unix domain member one ;-)

Or to put it another way, remove all these lines, they are either
defaults or have absolutely no place in a DC smb.conf:

     tls enabled = yes
     tls keyfile = tls/key.pem
     tls certfile = tls/cert.pem
     tls cafile = tls/ca.pem

     idmap config *:backend = tdb
     idmap config *:range = 10000-99999
     idmap config TESTDOMAIN : backend = ad
     idmap config TESTDOMAIN : range = 10000-99999
     idmap config TESTDOMAIN : schema_mode = rfc2307
     winbind enum users = yes
     winbind enum groups = yes
     winbind use default domain = yes
     winbind nested groups = yes
     winbind nss info = rfc2307
     winbind refresh tickets = yes
     winbind offline logon = true
     client use spnego = yes
     client ntlmv2 auth = yes
     encrypt passwords = yes
     vfs objects = acl_xattr
     map acl inherit = yes
     store dos attributes = yes

idmap works differently on a DC from a Unix domain member.

Rowland