Jonathon Reinhart
2019-Jun-05 20:12 UTC
[Samba] Automatically assigning uidNumber / gidNumber attributes
All, I'm working on a script to automatically assign uidNumber and gidNumber attributes to users. I have a few questions: 1) Which users should be excluded from this assignment? I'm currently using this LDAP filter (simplified syntax used here): (objectClass=user) & (objectCategory=Person) & ~(sAMAccountName=krbtgt*) Specifically, based on recent conversations, I'm wondering if Administrator should have uidNumber assigned. 2) Which groups should be excluded? I'm currently using: (objectClass=group) https://lists.samba.org/archive/samba/2019-June/223478.html In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a gidNumber attribute." I'm assuming that means it should be avoided? What other groups should be avoided, and why? 3) Should I assign user gidNumbers? I'm assigning user gidNumber by resolving their primaryGroupID RID to the group, and copying that gidNumber. As I understand, the idmap_ad plugin for Winbind applies this same logic if unix_primary_group is set to "no" (the default). Is there any reason that my script should not set gidNumber? --- I'm using the range 100000-200000 for both uidNumber and gidNumber. From everything I've read this shouldn't conflict with anything, even if I extend it up towards 1M. My script stores the "next uidNumber" and "next gidNumber" to assign in a local file. I could use MAX(uidNumber) but that could be problematic if the highest-valued user is deleted. It'd be great if I could somehow store these values in LDAP, but I'm not seeing a way to do that. I intend to release the script as open-source after it gets a few miles on it :-) Best regards, Jonathon
Łukasz Michalski
2019-Jun-05 20:32 UTC
[Samba] Automatically assigning uidNumber / gidNumber attributes
W dniu 2019-06-05 o?22:12, Jonathon Reinhart via samba pisze:> > Specifically, based on recent conversations, I'm wondering if > Administrator should have uidNumber assigned. >Wiki says no: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Mapping_the_Domain_Administrator_Account_to_the_Local_root_User Regards, ?ukasz
Rowland penny
2019-Jun-05 20:40 UTC
[Samba] Automatically assigning uidNumber / gidNumber attributes
On 05/06/2019 21:12, Jonathon Reinhart via samba wrote:> All, > > I'm working on a script to automatically assign uidNumber and gidNumber > attributes to users. I have a few questions: > > 1) Which users should be excluded from this assignment?Any you want to be visible to Unix> > I'm currently using this LDAP filter (simplified syntax used here): > (objectClass=user) & (objectCategory=Person) & ~(sAMAccountName=krbtgt*)Try (&(objectCategory=person)(objectClass=user)) or (sAMAccountType=805306368)> > Specifically, based on recent conversations, I'm wondering if > Administrator should have uidNumber assigned.No, this would turn it into a normal Unix user> > > 2) Which groups should be excluded?Just about all the groups that a provision provides, with the exception of Domain Users> > I'm currently using: > (objectClass=group) > > https://lists.samba.org/archive/samba/2019-June/223478.html > In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a > gidNumber attribute."Domain Admins is a group that must own files in Sysvol. Samba runs on Unix and groups cannot own files on Unix, so Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain Admins a group and a user. If you give Domain Admins a gidNumber attribute, it becomes just a group and cannot own files.> > I'm assuming that means it should be avoided? What other groups should > be avoided, and why?See Above.> > > 3) Should I assign user gidNumbers?This is entirely up to you, they will only really be used if you use 'idmap config DOMAIN : unix_primary_group = yes'> > I'm assigning user gidNumber by resolving their primaryGroupID RID to > the group, and copying that gidNumber. As I understand, the idmap_ad > plugin for Winbind applies this same logic if unix_primary_group is set > to "no" (the default). Is there any reason that my script should not set > gidNumber? > > ---If you do the above, there is absolutely no point in setting the gidNumber attribute on a user.> I'm using the range 100000-200000 for both uidNumber and gidNumber. From > everything I've read this shouldn't conflict with anything, even if I > extend it up towards 1M.This is not a problem, a user with the uidNumber '10000' will never be mistaken for a group with the same ID> > My script stores the "next uidNumber" and "next gidNumber" to assign in > a local file. I could use MAX(uidNumber) but that could be problematic > if the highest-valued user is deleted. It'd be great if I could somehow > store these values in LDAP, but I'm not seeing a way to do that.Why not use the two attributes Microsoft used: msSFU30MaxUidNumber msSFU30MaxGidNumber You just need to know where to store them ;-) Rowland
Łukasz Michalski
2019-Jun-07 15:37 UTC
[Samba] Automatically assigning uidNumber / gidNumber attributes
On 05.06.2019 22:40, Rowland penny via samba wrote:>> >> https://lists.samba.org/archive/samba/2019-June/223478.html >> In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a >> gidNumber attribute." > Domain Admins is a group that must own files in Sysvol. Samba runs on Unix and groups cannot own files on Unix, so Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain Admins a group and a user. If you give Domain Admins a gidNumber attribute, it becomes just a group and cannot own files. >>Now I am confused. Reading "Adding a share" on domain member here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share If with idmap-ad I do not set gidNumber to Domain Admins I will not be able to chown to that group? Is it better to create other administrative group for managing file permissions? Regards, ?ukasz
Maybe Matching Threads
- Automatically assigning uidNumber / gidNumber attributes
- Automatically assigning uidNumber / gidNumber attributes
- Automatically assigning uidNumber / gidNumber attributes
- Automatically assigning uidNumber / gidNumber attributes
- Automatically assigning uidNumber / gidNumber attributes