samba - Oct 2021 - Security token SIDs does not contain the right SID for users in username map

> This all depends, is there an AD DC anywhere in your setup ? Or are you
> just getting authentication from freeipa ?
>
> As far as I am aware, freeipa only does authentication, which is okay,
> because Samba also only wants you to use a Samba AD DC for
> authentication. However freeipa is never likely to give you what an AD
> DC will.
>
> If you use the winbind 'rid' or 'autorid' backends, the
Unix ID will be
> calculated from the RID taken from the SID (does freeipa have SIDs ?)
> and if you use the same 'global' part of the smb.conf on all Samba
> machines, then you will always get the same ID's without adding
> anything to AD.
>
> If you use the 'ad' backend, then you need to add RFC2307
attributes to
> AD and these will be used on all Samba machines.
>
> NOTE: AD above could be freeipa.
>
> At the moment you are using the 'tdb' backend and this is an
allocating
> backend, that is, when a user or group contacts the Samba server, it
> gets allocated the next available ID, this means you will get different
> ID's on different machines and even worse, if the Samba database on the
> machine gets corrupted, the users and groups are likely to get
> different ID's.
>
> I do not use freeipa, so know little about it, so a bit of
> investigation may be worth doing. As far as I am aware, freeipa is
> really ldap on steroids, just not as far as Samba AD.
>
> Rowland
>
>
In our scenario there is an AD DC (Windows Server 2012 R2), and an
independent FreeIPA. The first is used for Windows computer users, and the
second for Ubuntu computer users. Users exist on both systems, and should
be mapped in the file server (Samba). We  don't have (we will, but not yet)
a Samba AD at this time, and it is not our intention to have one right now.

As for the above, and your information, we should use the 'ad' idmap
backend and not use "username map".

In other order, we know how 'tdb' works, and we know that static
mappings
can be done too (aside from the automatic allocation), with "net idmap
restore" for example. In fact, in our actual solution (with Samba 3.6.23),
we are using it with the static mappings, and all is working right. As for
that, at first we thought of using the same method and mapping (the
transition should be much easier). So our question is, why is it not
working with the actual version. More precisely, why the AD SID of a user
that is in the username map is not in his security token SIDs (the problem
does not exist if the username is the same on both systems, so he doesn't
have a line in the username map).

On Thu, 2021-10-28 at 13:25 -0300, tizo wrote:
> 
> In our scenario there is an AD DC (Windows Server 2012 R2), and an
> independent FreeIPA. The first is used for Windows computer users,
> and the second for Ubuntu computer users.
Why ? you could have used the AD for everything, you do not really need
freeipa.
>  Users exist on both systems, and should be mapped in the file server
> (Samba). 
If you only had one authentication server, you wouldn't need to map
anything.
> We  don't have (we will, but not yet) a Samba AD at this time, and it
> is not our intention to have one right now.
Fair enough.
> 
> As for the above, and your information, we should use the 'ad'
idmap
> backend and not use "username map".
>From the sound of it, yes, it is probably the only way to get the same
ID's everywher.
> 
> In other order, we know how 'tdb' works, and we know that static
> mappings can be done too (aside from the automatic allocation), with
> "net idmap restore" for example. In fact, in our actual solution
> (with Samba 3.6.23),
For a start, if you are still using 3.6.23, then you shouldn't, it is
dead and littered with numerous serious bugs. Having said that, you
should have been using one of the winbind backends other than tdb.

Yes, you can use 'net idmap restore', but the '*' domain is only
really
meant for the Well Known SIDs and anything outside the 'DOMAIN' domain
and it doesn't really matter if they get different ID's
>  we are using it with the static mappings, and all is working right.
> As for that, at first we thought of using the same method and mapping
> (the transition should be much easier). So our question is, why is it
> not working with the actual version. More precisely, why the AD SID
> of a user that is in the username map is not in his security token
> SIDs (the problem does not exist if the username is the same on both
> systems, so he doesn't have a line in the username map).
It is quite possible that the AD has one SID and the freeipa has a
different one. The usernames may be the same, but they are different
users to AD and freeipa.

If you had just used one Authentication server, you would not be having
your problems now.

Rowland