samba - Jun 2019 - Samba + sssd deployment: success and failure

On Thursday, 13 June 2019 00:41:09 PDT Rowland penny via samba
wrote:
> On 13/06/2019 07:55, Alexey A Nikitin wrote:
> > On Wednesday, 12 June 2019 13:07:56 PDT Rowland penny via samba wrote:
> >>>> I think you mean 'RID' instead of 'SID'
> >>> Yes, you're right.  The Windows people seem to use the
terms synonymously.
> >> I cannot help that, the SID identifies the domain and the RID is
> >> appended to the end of the SID and identifies the object (user,
> >> group,computer etc)
> >>
> > I believe a small clarification is due here: SID does identify
individual objects. It has a 96-bit (12-byte) pseudo-random section that
identifies a domain or an individual computer relative to which the RID is
effective (IIRC some sources refer to it as 'source of authority') as
well as a 32-bit RID (relative ID, similar to UID/GID in POSIX except it is a
single 32-bit space for any and all security principals in a domain/machine)
itself as its components. AFAIK the only exceptions to the rule of SID including
RID as its necessary part are Service SIDs and Machine SIDs. The Service SIDs
are used to manage permissions for individual services (longer than typical SID
and is based on SHA1 hash of the service name) and Machine SIDs are effectively
just a special case of the SID prefix without RID. That said the machine
accounts in AD will have full SID with RID, and that SID will not match the
local machine SID at all.
> >
> > If any of the above is a misconception I have - please correct me.
> 
> You might think that and you may be correct in what you say, but it 
> still doesn't alter the fact the SID by itself identifies the domain
and
> to identify an individual object it gets a RID added to the end of the SID.
> 
> The SID, can be in the form
'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz'
> or 'S-1-5-32' (there are others)
> 
> Until you add a RID to the above, it only identifies a domain, but once 
> you do, it identifies  an individual object in a domain, S-1-5-32-548 
> identifies the 'Account Operators' group in the BUILTIN domain.
> 
> You cannot call something a SID, then add a RID to it and continue to 
> call it a SID, 'SID-RID' perhaps would be a better term.
> 
> Rowland
> 
> 
> 
> 
According to the MS docs SID=('S-'+version+identifier authority
value+domain or computer identifier+RID). The SIDs that don't contain RID
are the special cases of Machine SID, Domain SID, Service SID, and some
predefined universal well-known SIDs [1]. According to the common use in MS
tools SID encompasses RID. And even in Samba (wbinfo immediately comes to mind)
SID also encompasses RID. More generally, the definition of SID is a unique
identifier for a security principal, and to match that definition one security
principal within a domain (or a local machine) has to be distinguished from
another security principal within the same domain or machine, which is achieved
through the RID part of the SID. So, RID is just a (sometimes optional, but in
those contexts "SID+RID" also doesn't make any sense) part of SID,
not a separate and independent piece.

Now, I'm not going to even pretend that I understand AD DS and Samba better
than you do - I rather obviously don't since I'm not the one answering
people's questions - but I would like us to get the terminology straight
before we have any serious discussion about any of it to avoid
misunderstandings.

Thank you,
Alexey

[1]
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers#security-identifier-architecture
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190613/cf2bba61/signature.sig>

On 13/06/2019 16:48, Alexey A Nikitin wrote:
> On Thursday, 13 June 2019 00:41:09 PDT Rowland penny via samba wrote:
>> On 13/06/2019 07:55, Alexey A Nikitin wrote:
>>> On Wednesday, 12 June 2019 13:07:56 PDT Rowland penny via samba
wrote:
>>>>>> I think you mean 'RID' instead of 'SID'
>>>>> Yes, you're right.  The Windows people seem to use the
terms synonymously.
>>>> I cannot help that, the SID identifies the domain and the RID
is
>>>> appended to the end of the SID and identifies the object (user,
>>>> group,computer etc)
>>>>
>>> I believe a small clarification is due here: SID does identify
individual objects. It has a 96-bit (12-byte) pseudo-random section that
identifies a domain or an individual computer relative to which the RID is
effective (IIRC some sources refer to it as 'source of authority') as
well as a 32-bit RID (relative ID, similar to UID/GID in POSIX except it is a
single 32-bit space for any and all security principals in a domain/machine)
itself as its components. AFAIK the only exceptions to the rule of SID including
RID as its necessary part are Service SIDs and Machine SIDs. The Service SIDs
are used to manage permissions for individual services (longer than typical SID
and is based on SHA1 hash of the service name) and Machine SIDs are effectively
just a special case of the SID prefix without RID. That said the machine
accounts in AD will have full SID with RID, and that SID will not match the
local machine SID at all.
>>>
>>> If any of the above is a misconception I have - please correct me.
>> You might think that and you may be correct in what you say, but it
>> still doesn't alter the fact the SID by itself identifies the
domain and
>> to identify an individual object it gets a RID added to the end of the
SID.
>>
>> The SID, can be in the form
'S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz'
>> or 'S-1-5-32' (there are others)
>>
>> Until you add a RID to the above, it only identifies a domain, but once
>> you do, it identifies  an individual object in a domain, S-1-5-32-548
>> identifies the 'Account Operators' group in the BUILTIN domain.
>>
>> You cannot call something a SID, then add a RID to it and continue to
>> call it a SID, 'SID-RID' perhaps would be a better term.
>>
>> Rowland
>>
>>
>>
>>
> According to the MS docs SID=('S-'+version+identifier authority
value+domain or computer identifier+RID). The SIDs that don't contain RID
are the special cases of Machine SID, Domain SID, Service SID, and some
predefined universal well-known SIDs [1]. According to the common use in MS
tools SID encompasses RID. And even in Samba (wbinfo immediately comes to mind)
SID also encompasses RID. More generally, the definition of SID is a unique
identifier for a security principal, and to match that definition one security
principal within a domain (or a local machine) has to be distinguished from
another security principal within the same domain or machine, which is achieved
through the RID part of the SID. So, RID is just a (sometimes optional, but in
those contexts "SID+RID" also doesn't make any sense) part of SID,
not a separate and independent piece.
>
I do not really care what Microsoft calls them, to me a SID identifies a 
domain, a RID identifies an object in a domain and a SID-RID is a 
combination of the two and identifies an object in a particular domain.

If you want to call a SID-RID a SID, be my guest, I will not stop you ;-)

Rowland

On 6/13/19 10:48 AM, Alexey A Nikitin via samba wrote:
> According to the MS docs SID=('S-'+version+identifier authority
value+domain or computer identifier+RID). The SIDs that don't contain RID
are the special cases of Machine SID, Domain SID, Service SID, and some
predefined universal well-known SIDs [1]. According to the common use in MS
tools SID encompasses RID. And even in Samba (wbinfo immediately comes to mind)
SID also encompasses RID. More generally, the definition of SID is a unique
identifier for a security principal, and to match that definition one security
principal within a domain (or a local machine) has to be distinguished from
another security principal within the same domain or machine, which is achieved
through the RID part of the SID. So, RID is just a (sometimes optional, but in
those contexts "SID+RID" also doesn't make any sense) part of SID,
not a separate and independent piece.
> 
I think the relevant question (and the reason this came up) is that I 
want the UID mapping to be:

     linux UID = domain RID

I was calling it an SID (which, based on talking to Windows admins, I'm 
surmising is understood to mean RID, depending on context).  Anyway, 
that was the genesis of this discussion.  To give a concrete example,

Running this command on one of sssd linux domain members:

root at kraken:/home/pgoetz# getent passwd pgoetz
pgoetz:*:1562224688:1007000513:Goetz Patrick G 
(pgoetz):/home/pgoetz:/bin/bash

1562224688 is my domain RID, 1007000513 is the RID for the Domain Users 
group:

root at kraken:/home/pgoetz# ls -l
total 0
drwxr-xr-x 2 pgoetz domain users 25 Oct  1  2018 Desktop
drwxr-xr-x 2 pgoetz domain users  6 Aug  3  2018 Documents
drwxr-xr-x 2 pgoetz domain users  6 Aug  3  2018 Downloads
drwxr-xr-x 2 pgoetz domain users  6 Aug  3  2018 Music
drwxr-xr-x 2 pgoetz domain users  6 Aug  3  2018 Pictures
drwxr-xr-x 2 pgoetz domain users  6 Aug  3  2018 Public
drwxr-xr-x 3 pgoetz domain users 41 Aug  3  2018 snap
drwxr-xr-x 2 pgoetz domain users  6 Aug  3  2018 Templates
drwxr-xr-x 2 pgoetz domain users  6 Aug  3  2018 Videos

On 13/06/2019 17:17, Goetz, Patrick G via samba wrote:
> On 6/13/19 10:48 AM, Alexey A Nikitin via samba wrote:
>> According to the MS docs SID=('S-'+version+identifier authority
value+domain or computer identifier+RID). The SIDs that don't contain RID
are the special cases of Machine SID, Domain SID, Service SID, and some
predefined universal well-known SIDs [1]. According to the common use in MS
tools SID encompasses RID. And even in Samba (wbinfo immediately comes to mind)
SID also encompasses RID. More generally, the definition of SID is a unique
identifier for a security principal, and to match that definition one security
principal within a domain (or a local machine) has to be distinguished from
another security principal within the same domain or machine, which is achieved
through the RID part of the SID. So, RID is just a (sometimes optional, but in
those contexts "SID+RID" also doesn't make any sense) part of SID,
not a separate and independent piece.
>>
> I think the relevant question (and the reason this came up) is that I
> want the UID mapping to be:
>
>       linux UID = domain RID
>
> I was calling it an SID (which, based on talking to Windows admins, I'm
> surmising is understood to mean RID, depending on context).  Anyway,
> that was the genesis of this discussion.  To give a concrete example,
>
> Running this command on one of sssd linux domain members:
>
> root at kraken:/home/pgoetz# getent passwd pgoetz
> pgoetz:*:1562224688:1007000513:Goetz Patrick G
> (pgoetz):/home/pgoetz:/bin/bash
>
> 1562224688 is my domain RID, 1007000513 is the RID for the Domain Users
> group:
I doubt very much that your Windows RID is '1562224688', well not unless
you have an extremely large domain, it is more likely to be '4688'

If you want your Unix ID to be exactly the same as your Windows RID, you 
could use the winbind 'rid' backend and use lines similar to these:

idmap config DOMAIN : backend = rid

idmap config DOMAIN : range = 0-a_number_larger than the largest_RID_in_AD

With that getent would return something like this:

pgoetz:*:4688:513:Goetz Patrick G

However, I wouldn't recommended that range, you couldn't have any local
users.

Rowland

On Thursday, 13 June 2019 09:18:25 PDT Goetz, Patrick G via samba
wrote:
> On 6/13/19 10:48 AM, Alexey A Nikitin via samba wrote:
> > According to the MS docs SID=('S-'+version+identifier
authority value+domain or computer identifier+RID). The SIDs that don't
contain RID are the special cases of Machine SID, Domain SID, Service SID, and
some predefined universal well-known SIDs [1]. According to the common use in MS
tools SID encompasses RID. And even in Samba (wbinfo immediately comes to mind)
SID also encompasses RID. More generally, the definition of SID is a unique
identifier for a security principal, and to match that definition one security
principal within a domain (or a local machine) has to be distinguished from
another security principal within the same domain or machine, which is achieved
through the RID part of the SID. So, RID is just a (sometimes optional, but in
those contexts "SID+RID" also doesn't make any sense) part of SID,
not a separate and independent piece.
> > 
> 
> I think the relevant question (and the reason this came up) is that I 
> want the UID mapping to be:
> 
>      linux UID = domain RID
> 
> I was calling it an SID (which, based on talking to Windows admins, I'm
> surmising is understood to mean RID, depending on context).  Anyway, 
> that was the genesis of this discussion.  To give a concrete example,
> 
> Running this command on one of sssd linux domain members:
> 
> root at kraken:/home/pgoetz# getent passwd pgoetz
> pgoetz:*:1562224688:1007000513:Goetz Patrick G 
> (pgoetz):/home/pgoetz:/bin/bash
> 
> 1562224688 is my domain RID, 1007000513 is the RID for the Domain Users 
> group:
> 
Domain Users group is a standard group with a well-known SID of S-1-5-<domain
id>-513, and its RID is 513. If you read through 'man idmap_rid'
you'll see that UID/GID = range base offset + RID. In other words, if you
want to get the actual RID of a security principal in your domain you should
substract from their UID/GID on your system the number 1007000000, which is
apparently is the base offset for the UID/GID range you've assigned for that
domain in your system.

On Thursday, 13 June 2019 09:11:32 PDT Rowland penny via samba
wrote:
> I do not really care what Microsoft calls them, to me a SID identifies a 
> domain, a RID identifies an object in a domain and a SID-RID is a 
> combination of the two and identifies an object in a particular domain.
> 
> If you want to call a SID-RID a SID, be my guest, I will not stop you ;-)
> 
> Rowland
> 
It's not about what Alexey Nikitin, Rowland Penny or Microsoft wants to call
things, it's about making sure that people don't get confused when they
discuss these topics off this list.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190613/2ffd941c/signature.sig>

On Thu, 2019-06-13 at 17:10 +0100, Rowland penny via samba
wrote:
> I do not really care what Microsoft calls them, to me a SID identifies a 
> domain, a RID identifies an object in a domain and a SID-RID is a 
> combination of the two and identifies an object in a particular domain.
> 
> If you want to call a SID-RID a SID, be my guest, I will not stop you ;-)
Rowland,
it helps our users if you use the correct terms.

The correct term is *SID*, please do not make up terms, it is confusing
and doesn't help.