samba - Jan 2022 - UID translation mystery or Festivus miracle?

On Tue, 2022-01-04 at 10:05 -0600, Patrick Goetz via samba
wrote:
> 
> About this, though:
> 
>  > The magic of 'id_type_both', Samba creates a usergroup if one
does
> not
>  > exist.
> 
> I thought of this and used ADUC to look for a pgoetz group in the 
> domain, but found none. Is this a persistent group, and if so,
> how/where 
> is it stored that it can't be found by ADUC?
Sorry, I didn't tell you enough, you only get the usergroups on a Unix
domain member with the 'rid' backend (you may get them with the
'autorid' backend, but I haven't tested it). If you look in
idmap.ldb
on a DC, you will find 'ID_TYPE_BOTH', but it isn't shown by getent,
the same goes for the 'ad' backend on a Unix domain member. On a Unix
domain member using the 'rid' backend, you will get something like
this:

adminuser at deb11:~$ id rowland
uid=11107(rowland) gid=10513(domain_users)
groups=10513(domain_users),11107(rowland).................

And

adminuser at deb11:~$ getent group rowland
rowland:x:11107:rowland

I can assure you that there isn't a group called 'rowland' anywhere,
it
is all done in code.

Rowland

On 1/4/22 10:28, Rowland Penny via samba wrote:
> On Tue, 2022-01-04 at 10:05 -0600, Patrick Goetz via samba wrote:
>>
>> About this, though:
>>
>>   > The magic of 'id_type_both', Samba creates a usergroup
if one does
>> not
>>   > exist.
>>
>> I thought of this and used ADUC to look for a pgoetz group in the
>> domain, but found none. Is this a persistent group, and if so,
>> how/where
>> is it stored that it can't be found by ADUC?
> 
> Sorry, I didn't tell you enough, you only get the usergroups on a Unix
> domain member with the 'rid' backend (you may get them with the
> 'autorid' backend, but I haven't tested it). If you look in
idmap.ldb
> on a DC, you will find 'ID_TYPE_BOTH', but it isn't shown by
getent,
> the same goes for the 'ad' backend on a Unix domain member. On a
Unix
> domain member using the 'rid' backend, you will get something like
> this:
> 
> adminuser at deb11:~$ id rowland
> uid=11107(rowland) gid=10513(domain_users)
> groups=10513(domain_users),11107(rowland).................
> 
> And
> 
> adminuser at deb11:~$ getent group rowland
> rowland:x:11107:rowland
> 
> I can assure you that there isn't a group called 'rowland'
anywhere, it
> is all done in code.
> 
This then begs 2 questions:

  - What then is actually stored in the file inode's GID field?
    (say, when the underlying filesystem is ext4)

  - What is the purpose of doing this?

Also, are you sure the GID isn't physically stored, Rowland?

pgoetz at data2:~/old-data-server$ id pgoetz
uid=11103(pgoetz) gid=11112(ea-staff) 
groups=11112(ea-staff),11103(pgoetz),11113(ea-admins),10513(domain 
users),3001(BUILTIN\users)

pgoetz at data2:~/old-data-server$ stat 6_Title-IV.xml
   File: 6_Title-IV.xml
   Size: 128853    	Blocks: 256        IO Block: 4096   regular file
Device: 811h/2065d	Inode: 386924595   Links: 1
Access: (0764/-rwxrw-r--)  Uid: (11103/  pgoetz)   Gid: (11103/  pgoetz)
Access: 2021-09-04 22:06:03.868629689 -0500
Modify: 2009-12-18 11:07:57.000000000 -0600
Change: 2022-01-05 06:44:18.265214032 -0600
  Birth: -

Is the stat command being fooled too?  I'm very curious about how this 
works.

> Rowland
> 
> 
>