Ralf Spenneberg (Samba)
2019-Mar-01 12:05 UTC
[Samba] uidNumber=RID allowed or not recommended?
Hi, the samba documentation concerning the migration of a Samba NT4 domain to AD (https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)) mentions in section "Important Notes": It used to be thought that using Windows RIDs for Unix IDs was acceptable, time has proven otherwise. But unfortunately no reasoning is given. I am wondering why this is not recommended. We are currently planning such a migration. Unfortunately we have to set the uidNumber=RID for all users. Currently around half the users have this setting based on LDAP. This is required so that a third party application will work after the migration. This third party application is samba aware but when using Samba NT4 style domains the application uses the uidnumber for internal identification and when using AD style domains the RID is used. The migration will therefore screw the internal identification of the users when migrating. We did not encounter any problems with those users currently using uidNumber=RID and would like to modify the other users as well. I am aware of the fact, that we need to adapt the local privileges on the Samba fileservers as well. Any hints or ideas are welcome. Kind regards, Ralf
On Fri, 1 Mar 2019 13:05:35 +0100 "Ralf Spenneberg \(Samba\) via samba" <samba at lists.samba.org> wrote:> Hi, > > the samba documentation concerning the migration of a Samba NT4 domain > to AD > (https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)) > mentions in section "Important Notes": > > It used to be thought that using Windows RIDs for Unix IDs was > acceptable, time has proven otherwise. > > But unfortunately no reasoning is given. I am wondering why this is > not recommended.OK, in the past it used to be standard practise to use the RID as the uidNumber or gidNumber, normal user or group RID's start at '1000', but the Well known SID's start at '500'. One of the Well Known SID's is 'S-1-5-21-domain-513', this is Domain Users and is the users primary group. For a user to be known to Unix, the user must have a uidNumber and their primary group must have a gidNumber, also these *idNumbers must contain a number that is inside the range set in the 'idmap config' line in smb.conf. So if you use the RID's for the *idNumbers, you will need a line like this: idmap config DOMAIN : range = 500-100000 Which leads to a problem, any normal Unix users will be ignored, you will have to put the default domain above the 'DOMAIN' domain and if you set the 'DOMAIN' upper range too low, what happens if you reach this limit and cannot raise it because it would overlap the default domain ?> > We are currently planning such a migration. Unfortunately we have to > set the uidNumber=RID for all users. Currently around half the users > have this setting based on LDAP. This is required so that a third > party application will work after the migration. This third party > application is samba aware but when using Samba NT4 style domains the > application uses the uidnumber for internal identification and when > using AD style domains the RID is used. The migration will therefore > screw the internal identification of the users when migrating. > We did not encounter any problems with those users currently using > uidNumber=RID and would like to modify the other users as well. > I am aware of the fact, that we need to adapt the local privileges on > the Samba fileservers as well. >Looks like you are dammed if you do and dammed if you don't. Is there anyway to update the ID's on NT4-style domains ? probably not, but if you could it would be a good idea. It might help if you read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland> Any hints or ideas are welcome. > > Kind regards, > Ralf >