Am 10/29/20 um 1:07 PM schrieb Rowland penny via samba:> On 29/10/2020 11:56, Andrew Walker wrote: >> Several of the idmap backends (including idmap_rid) in samba support >> id_type_both (the ID is both a user and a group). This is ultimately >> needed for accurately producing Windows-style behavior regarding >> permissions (where a group can be the owner of a file). Without >> knowing the details of the ACL module, the best path forward would be >> for you to figure out how to maintain windows-like behavior. > > The only place that I have found id_type_both to be used, is in > idmap.ldb on a Samba AD DC.it's also supported by a bunch of idmap modules including rid and autorid, but not ad ...> Windows behaviour is for a group to be able > to own files....for exactly the same reason (plus others like supporting SID history). -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20201029/099583b7/signature.sig>
On 29/10/2020 13:32, Ralph Boehme wrote:> Am 10/29/20 um 1:07 PM schrieb Rowland penny via samba: >> On 29/10/2020 11:56, Andrew Walker wrote: >>> Several of the idmap backends (including idmap_rid) in samba support >>> id_type_both (the ID is both a user and a group). This is ultimately >>> needed for accurately producing Windows-style behavior regarding >>> permissions (where a group can be the owner of a file). Without >>> knowing the details of the ACL module, the best path forward would be >>> for you to figure out how to maintain windows-like behavior. >> The only place that I have found id_type_both to be used, is in >> idmap.ldb on a Samba AD DC. > it's also supported by a bunch of idmap modules including rid and > autorid, but not ad ... > >> Windows behaviour is for a group to be able >> to own files. > ...for exactly the same reason (plus others like supporting SID history). > > -slow >Then it seems to be working in the wrong direction. it is turning a user into a group and a user can already 'own' things, both on Unix and Windows.If you use the winbind 'ad' backend, you get the choice of using a different group from the default Domain Users, what you do not get is a group with the same name as a user. From my point of view, there is absolutely no reason to use id_type_both on anything except a Samba AD DC and it would seem that 'rid' and 'autorid' forces this on you, whether you want it or not. This in my opinion needs a different approach, no Unix user needs a usergroup in AD. Rowland
Am 10/29/20 um 3:05 PM schrieb Rowland penny via samba:> Am 10/29/20 um 1:07 PM schrieb Ralph Boehme via samba: >> On 29/10/2020 11:56, Andrew Walker wrote: >>> Windows behaviour is for a group to be able to own files. >> ...for exactly the same reason (plus others like supporting SID >> history). > > Then it seems to be working in the wrong direction. it is turning a > user into a group and a user can already 'own' things, both on Unix > and Windows.yes, for good reason. Because the primary SID of a user can turn into an additional SID in the NT token as the result of domain migration. So in order have existing ACEs work with SID history, every the users primary SID is mapped to both a uid and gid, both is then added to the UNIX token and when creating ACEs, the ACE will always be a groups ACE.> If you use the winbind 'ad' backend, you get the choice of using a > different group from the default Domain Users, what you do not get > is a group with the same name as a user. From my point of view, there > is absolutely no reason to use id_type_both on anything except a > Samba AD DC and it would seem that 'rid' and 'autorid' forces this on > you, whether you want it or not.Certain semantics needed to behave like a Windows server can only be implemented when using idmapping module that support id-type both. -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20201030/ab7d6c9d/signature.sig>
Reasonably Related Threads
- question about winbind rid idmaping
- question about winbind rid idmaping
- question about winbind rid idmaping
- Security permissions issues after changing idmap backend from RID to AUTORID
- Security permissions issues after changing idmap backend from RID to AUTORID