Hi, I'm using Samba in a domain using the ad backend. Sometimes it happens that I create a new user and forget to set the uidNumber attribute right away. As far as Windows Server resources are concerned, that doesn't matter but as soon as I start giving this user access to resources on a Samba server, specifically on files using Windows ACL permissions, things don't work as expected until I realize that I forgot to set the uidNumber. Typically, in such a situation, I have to set the uidNumber attribute for the user, remove all permissions for the user on Samba machines and set them again from scratch. I wonder, is there another, maybe better way to correct such a situation? And a follow-up question to this. Back in the day, I was under the impression that the ad backend is the "best" backend to use. After having followed several discussions on the topic on the list over the past few years, it seems to me that the ad backend may have its advantages in hybrid environments where domain users need access to Linux machines. But other than that, RID seems better suited and easier to manage in single-domain environments where users only ever log on to Windows machines but may access file shares on Samba servers. Feel free to correct me on this impression. So, say I decided to move from the ad backend to the rid backend, which steps would be involved? And one last point: In my opinion, the Wiki pages on the various id mapping backends are not clear enough and in certain points maybe even outdated. As a concrete example, in the Wiki page to the ad backend it is stated that "If the Windows Active Directory Users and Computers (ADUC) program is not used, you have to manual (sic!) track ID values to avoid duplicates." With Windows 10 being the current and recommended version of Windows, this information is no longer true. You have to track the ID values manually in either case. As a more experienced Samba user, I see the Wiki page in a different light today than 5-6 years ago. But for new users, I still feel the content on these pages could be better structured and offer more guidance. Why not give a concise summary, describing when the user should prefer this one backend over another? And when it comes to listing advantages and disadvantages, I wish that it would be made clearer that some of them really only apply if domain users are going to work on Linux domain-joined machines. Oh, and by the way, I'm more than happy to help with some of this myself if I get edit access to the Wiki. Vic
Mandi! Viktor Trojanovic via samba In chel di` si favelave...> I wonder, is there another, maybe better way to correct such a situation?Rather simple/stupid reply in a rather complex post, but for machine account i've coded a little script that scan hourly the machine accounts and, if find a machine account without UID, add them. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Viktor Trojanovic via samba > Verzonden: vrijdag 3 september 2021 9:28 > Aan: samba > Onderwerp: [Samba] ad-backend: uidNumber set too late > > Hi, > > I'm using Samba in a domain using the ad backend. > > Sometimes it happens that I create a new user and forget to set the > uidNumber attribute right away. As far as Windows Server resources are > concerned, that doesn't matter but as soon as I start giving this user > access to resources on a Samba server, specifically on files > using Windows > ACL permissions, things don't work as expected until I realize that I > forgot to set the uidNumber.Hahaha.. I known that problem also.. A strick order when your creating users helps. This is script i made to fix it all. https://raw.githubusercontent.com/thctlo/samba4/master/samba-fix-userhome-recursive.sh Read it, adjust it to you needs. There might be a better way, but this works for me. Do note, the scripts reset's all users when you run it. I use it on debian/ubuntu.> > Typically, in such a situation, I have to set the uidNumber > attribute for > the user, remove all permissions for the user on Samba > machines and set them again from scratch.What i do is, just delete the folder, set the UID/GIDS again. And change one thing in homedir/profiles setting and windows recreated the folder. (windows just needs to detect a change in these fields to show the apply buttom) Add remove a space is sufficient.> > I wonder, is there another, maybe better way to correct such > a situation?Make a script like make or use mine and change it to your needs.> > And a follow-up question to this. Back in the day, I was under the > impression that the ad backend is the "best" backend to use.In my opionion, yes it still is..> After having > followed several discussions on the topic on the list over > the past few > years, it seems to me that the ad backend may have its > advantages in hybrid > environments where domain users need access to Linux > machines. But other > than that, RID seems better suited and easier to manage in > single-domain > environments where users only ever log on to Windows machines but may > access file shares on Samba servers. Feel free to correct me on this > impression.How i see it to use RID or AD. If its just windows your using and no underlaying links between servers. RID is sufficient, but if you do linux stuff also or link servers nfs etc. AD is in my opionon better because its just more consistant. I dont know it this still applies but.. My one and only reason for using Backend AD is... IDs are only cached locally, they are stored in the AD database on DC's. This means that if the local cache becomes corrupt the file ownerships are not lost. And i have had it once that my server broke down, resulting in i lost my ACLS.. But it a choice, RID also improved to be more consistant with the assigned UID/GIDS, In de beginnen of it, the UID/GIDS where not the same on different server, now they are If you use the samba settings in smb.conf> > So, say I decided to move from the ad backend to the rid > backend, which steps would be involved?I suggest you think very carefully first, or tell us more what your using in the network.> > And one last point: In my opinion, the Wiki pages on the > various id mapping > backends are not clear enough and in certain points maybe > even outdated. > > As a concrete example, in the Wiki page to the ad backend it is stated > that "If the Windows Active Directory Users and Computers > (ADUC) program is > not used, you have to manual (sic!) track ID values to avoid > duplicates."Agreed yes, Rowland made the code for it but as far i know its not in samba.> With Windows 10 being the current and recommended version of > Windows, this > information is no longer true. You have to track the ID > values manually in either case.I have 1 windows 7 pc to manage my AD, only reason why i have 1 win7. Exacly because what your point out here. The lack of ID tracking in AD.> > As a more experienced Samba user, I see the Wiki page in a > different light > today than 5-6 years ago. But for new users, I still feel the > content on > these pages could be better structured and offer more > guidance. Why not > give a concise summary, describing when the user should > prefer this one > backend over another? And when it comes to listing advantages and > disadvantages, I wish that it would be made clearer that some of them > really only apply if domain users are going to work on Linux > domain-joined machines. > > Oh, and by the way, I'm more than happy to help with some of > this myself if I get edit access to the Wiki.Thats always welkom :-) Greetz, Louis
Good moning Marco, Well, i say, he does has a good point. As long i used samba3 UID/GID tracking was done by samba So, yeah, i 100% agree with Victor. The lack of ID tracking is a big miss. But im sure one day we get it back. Someday.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: vrijdag 3 september 2021 9:50 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] ad-backend: uidNumber set too late > > Mandi! Viktor Trojanovic via samba > In chel di` si favelave... > > > I wonder, is there another, maybe better way to correct > such a situation? > > Rather simple/stupid reply in a rather complex post, but for machine > account i've coded a little script that scan hourly the machine > accounts and, if find a machine account without UID, add them. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bont?, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Fri, 2021-09-03 at 09:27 +0200, Viktor Trojanovic via samba wrote:> Hi, > > I'm using Samba in a domain using the ad backend. > > Sometimes it happens that I create a new user and forget to set the > uidNumber attribute right away. As far as Windows Server resources > are > concerned, that doesn't matter but as soon as I start giving this > user > access to resources on a Samba server, specifically on files using > Windows > ACL permissions, things don't work as expected until I realize that I > forgot to set the uidNumber. > > Typically, in such a situation, I have to set the uidNumber attribute > for > the user, remove all permissions for the user on Samba machines and > set > them again from scratch.I don't fully understand that, surely if you are using the 'ad' backend on a Unix domain member, then your user without a uidNumber attribute would be unknown and couldn't own anything.> > I wonder, is there another, maybe better way to correct such a > situation? > > And a follow-up question to this. Back in the day, I was under the > impression that the ad backend is the "best" backend to use. After > having > followed several discussions on the topic on the list over the past > few > years, it seems to me that the ad backend may have its advantages in > hybrid > environments where domain users need access to Linux machines. But > other > than that, RID seems better suited and easier to manage in single- > domain > environments where users only ever log on to Windows machines but may > access file shares on Samba servers. Feel free to correct me on this > impression.All of the winbind backends have their advantages and disadvantages: The 'ad' backend, along with ensuring that the ID's are the same everywhere, allows for different shells & home directory per user. However, you have to manually add the rfc2307 attributes The 'rid' backend allows for the same Unix ID's everywhere, provided you use the same smb.conf everywhere. You do not have to add anything to AD. You will have to use the same shell & home directory for every user. The 'autorid' backend is similar to the 'rid' backend but allows for multiple domains and is the easiest to set up.> > So, say I decided to move from the ad backend to the rid backend, > which > steps would be involved?You would have change the smb.conf (the easy part) and then change the permissions on the data.> > And one last point: In my opinion, the Wiki pages on the various id > mapping > backends are not clear enough and in certain points maybe even > outdated. > > As a concrete example, in the Wiki page to the ad backend it is > stated > that "If the Windows Active Directory Users and Computers (ADUC) > program is > not used, you have to manual (sic!) track ID values to avoid > duplicates." > With Windows 10 being the current and recommended version of Windows, > this > information is no longer true. You have to track the ID values > manually in > either case.I have changed that, thanks for pointing it out :-)> > As a more experienced Samba user, I see the Wiki page in a different > light > today than 5-6 years ago. But for new users, I still feel the content > on > these pages could be better structured and offer more guidance. Why > not > give a concise summary, describing when the user should prefer this > one > backend over another? And when it comes to listing advantages and > disadvantages, I wish that it would be made clearer that some of them > really only apply if domain users are going to work on Linux domain- > joined > machines.Quite a lot of the Samba wiki is based on Unix domain joined machines, but perhaps it could be phrased better.> > Oh, and by the way, I'm more than happy to help with some of this > myself if > I get edit access to the Wiki. >That is easy, just follow the process and you can edit the wiki. Rowland
I wrote ADMan to automatically assign uidNumber and create home directories on the NAS: https://gitlab.com/JonathonReinhart/adman On Fri, Sep 3, 2021, 03:29 Viktor Trojanovic via samba < samba at lists.samba.org> wrote:> Hi, > > I'm using Samba in a domain using the ad backend. > > Sometimes it happens that I create a new user and forget to set the > uidNumber attribute right away. As far as Windows Server resources are > concerned, that doesn't matter but as soon as I start giving this user > access to resources on a Samba server, specifically on files using Windows > ACL permissions, things don't work as expected until I realize that I > forgot to set the uidNumber. > > Typically, in such a situation, I have to set the uidNumber attribute for > the user, remove all permissions for the user on Samba machines and set > them again from scratch. > > I wonder, is there another, maybe better way to correct such a situation? > > And a follow-up question to this. Back in the day, I was under the > impression that the ad backend is the "best" backend to use. After having > followed several discussions on the topic on the list over the past few > years, it seems to me that the ad backend may have its advantages in hybrid > environments where domain users need access to Linux machines. But other > than that, RID seems better suited and easier to manage in single-domain > environments where users only ever log on to Windows machines but may > access file shares on Samba servers. Feel free to correct me on this > impression. > > So, say I decided to move from the ad backend to the rid backend, which > steps would be involved? > > And one last point: In my opinion, the Wiki pages on the various id mapping > backends are not clear enough and in certain points maybe even outdated. > > As a concrete example, in the Wiki page to the ad backend it is stated > that "If the Windows Active Directory Users and Computers (ADUC) program is > not used, you have to manual (sic!) track ID values to avoid duplicates." > With Windows 10 being the current and recommended version of Windows, this > information is no longer true. You have to track the ID values manually in > either case. > > As a more experienced Samba user, I see the Wiki page in a different light > today than 5-6 years ago. But for new users, I still feel the content on > these pages could be better structured and offer more guidance. Why not > give a concise summary, describing when the user should prefer this one > backend over another? And when it comes to listing advantages and > disadvantages, I wish that it would be made clearer that some of them > really only apply if domain users are going to work on Linux domain-joined > machines. > > Oh, and by the way, I'm more than happy to help with some of this myself if > I get edit access to the Wiki. > > Vic > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >