On Thu, Oct 29, 2020 at 7:21 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 29/10/2020 11:04, Andrea Cucciarre' via samba wrote: > > Hello, > > > > I have just realized that winbind rid idmapping create the following > > idmapping for user, below an example: > > > > # id HYPERFILE\\simone > > *uid=11663*(HYPERFILE\simone) gid=10513(HYPERFILE\domain users) > > groups=10513(HYPERFILE\domain > > users),*11663*(HYPERFILE\simone),3011(BUILTIN\users) > > > > I'm confused about group mapping 11663(HYPERFILE\simone), winbind > > created a mapping for a group that has same name and id as the user, > > although such group doesn't exist in my AD domain. > > This is causing issue in the ACL module that we are developing. > > Does anybody know why winbind behave that way? > > No. > > I didn't think it could, the winbind 'rid' calculates the ID from the > user or group RID and user & group names are unique. This means that you > cannot have a user with the same name as a group, so you can only have > one RID. > > The only thing that I know that can 'create' usergroups is sssd, so are > you using this as well ? > > I think more info is required here, what OS ? What version of Samba ? > Please post your smb.conf > > Rowland > > Several of the idmap backends (including idmap_rid) in samba supportid_type_both (the ID is both a user and a group). This is ultimately needed for accurately producing Windows-style behavior regarding permissions (where a group can be the owner of a file). Without knowing the details of the ACL module, the best path forward would be for you to figure out how to maintain windows-like behavior.
On 29/10/2020 11:56, Andrew Walker wrote:> > > Several of the idmap backends (including idmap_rid) in samba support > id_type_both (the ID is both a user and a group). This is ultimately > needed for accurately producing Windows-style behavior regarding > permissions (where a group can be the owner of a file). Without > knowing the details of the ACL module, the best path forward would be > for you to figure out how to maintain windows-like behavior.The only place that I have found id_type_both to be used, is in idmap.ldb on a Samba AD DC. Windows behaviour is for a group to be able to own files. Unix has no such concept, but it is possible for a user & a group to have the same name, this is not possible on Windows. We need more info to diagnose this problem. Rowland
Hello, My system is merely a Samba AD member (not a Samba DC). The system is a CentOS: # cat /etc/centos-release CentOS Linux release 8.2.2004 (Core) and we are running the following Samba version: # smbd --version Version 4.11.2 There's no sssd running, we use only winbindd for id mapping, below my smb.conf: [global] security = ads realm = HYPERFILE.LOCAL workgroup = HYPERFILE netbios name = HF-1 log file = /hyperfile/gluster-cache/logs/winbindd/1/log.%I idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config HYPERFILE : backend = rid idmap config HYPERFILE : range = 10000-999999 log level = 5 max log size = 10000 winbind refresh tickets = Yes winbind offline logon = true vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes dedicated keytab file = /hyperfile/winbindd/1/keytabs/krb5.keytab kerberos method = secrets and keytab winbind enum groups = yes winbind enum users = yes client signing = yes client use spnego = yes template shell = /bin/bash template homedir = /home/%U Thanks Andrea On 10/29/2020 1:07 PM, Rowland penny via samba wrote:> On 29/10/2020 11:56, Andrew Walker wrote: >> >> >> Several of the idmap backends (including idmap_rid) in samba support >> id_type_both (the ID is both a user and a group). This is ultimately >> needed for accurately producing Windows-style behavior regarding >> permissions (where a group can be the owner of a file). Without >> knowing the details of the ACL module, the best path forward would be >> for you to figure out how to maintain windows-like behavior. > > The only place that I have found id_type_both to be used, is in > idmap.ldb on a Samba AD DC. Windows behaviour is for a group to be > able to own files. Unix has no such concept, but it is possible for a > user & a group to have the same name, this is not possible on Windows. > > We need more info to diagnose this problem. > > Rowland > > >
On Thu, Oct 29, 2020 at 8:07 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 29/10/2020 11:56, Andrew Walker wrote: > > > > > > Several of the idmap backends (including idmap_rid) in samba support > > id_type_both (the ID is both a user and a group). This is ultimately > > needed for accurately producing Windows-style behavior regarding > > permissions (where a group can be the owner of a file). Without > > knowing the details of the ACL module, the best path forward would be > > for you to figure out how to maintain windows-like behavior. > > The only place that I have found id_type_both to be used, is in > idmap.ldb on a Samba AD DC.RID also does this. You can see in the sid<->id mapping functions in source3/winbindd/idmap_rid.c. Andrea, you can look at the common nfsv4 code (source3/modules/nfs4_acls.c) to see how ID_TYPE_BOTH is dealt with there (for instance nfs4_acl_add_sec_ace()). Can you perhaps give more details about your ACL modules (or a link to the source)?
Am 10/29/20 um 1:07 PM schrieb Rowland penny via samba:> On 29/10/2020 11:56, Andrew Walker wrote: >> Several of the idmap backends (including idmap_rid) in samba support >> id_type_both (the ID is both a user and a group). This is ultimately >> needed for accurately producing Windows-style behavior regarding >> permissions (where a group can be the owner of a file). Without >> knowing the details of the ACL module, the best path forward would be >> for you to figure out how to maintain windows-like behavior. > > The only place that I have found id_type_both to be used, is in > idmap.ldb on a Samba AD DC.it's also supported by a bunch of idmap modules including rid and autorid, but not ad ...> Windows behaviour is for a group to be able > to own files....for exactly the same reason (plus others like supporting SID history). -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20201029/099583b7/signature.sig>
Seemingly Similar Threads
- question about winbind rid idmaping
- question about winbind rid idmaping
- Security permissions issues after changing idmap backend from RID to AUTORID
- Security permissions issues after changing idmap backend from RID to AUTORID
- [CTDB] "use mmap = no" Causes wibind to fail