akanator111-smba at yahoo.com
2022-Jun-08 14:05 UTC
[Samba] Samba AD-DC using existing user IDs for new machine accounts - idmap.ldb xidNumber
I have an existing NFS share with data from many linux only user accounts. Those accounts were all in the 500-1000 user ID range. Now I've tried setting up Samba as an AD-DC and mapping the new users created there to their old user IDs so they have access to their files. To map those user IDs, I first create a new user on the AD-DC and then edit the idmap.ldb via: ldbedit -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-19... ... and set the xidNumber to their previous linux user ID. This works fine so far. Files are now owned by the Samba AD user. Now the problem comes when I'm adding more machines to my AD domain. Samba seemingly gives out IDs for those machine accounts (hostname$) without checking if the ID is already in use by a user account, leading to files suddenly being owned by "hostname$" instead of the user. Manually changing the machineaccount xidNumber to something else fixes the problem for the moment, but as soon as new hosts join the AD, I can be almost sure it'll chose a user ID out of my user ID range (<1000), messing everything up again. Does anyone have an idea on how to do this better? Maybe I can configure the range for new user/machine IDs somewhere so it does not intersect with my user ID range?
Rowland Penny
2022-Jun-08 14:51 UTC
[Samba] Samba AD-DC using existing user IDs for new machine accounts - idmap.ldb xidNumber
On Wed, 2022-06-08 at 14:05 +0000, akanator111-smba--- via samba wrote:> I have an existing NFS share with data from many linux only user > accounts. Those accounts were all in the 500-1000 user ID range. Now > I've tried setting up Samba as an AD-DC and mapping the new users > created there to their old user IDs so they have access to their > files.Not a good idea to use a DC as a fileserver.> > To map those user IDs, I first create a new user on the AD-DC and > then edit the idmap.ldb via:BAD idea, if you add another DC (which is highly recommended), your users will all get another ID and they will be in a different order, because they are created in idmap.ldb based on the order they connect.> ldbedit -H /var/lib/samba/private/idmap.ldb objectsid=S-1-5-21-19... > ... and set the xidNumber to their previous linux user ID. This works > fine so far. Files are now owned by the Samba AD user.Still not a good idea.> > Now the problem comes when I'm adding more machines to my AD domain. > Samba seemingly gives out IDs for those machine accounts (hostname$) > without checking if the ID is already in use by a user account, > leading to files suddenly being owned by "hostname$" instead of the > user. Manually changing the machineaccount xidNumber to something > else fixes the problem for the moment, but as soon as new hosts join > the AD, I can be almost sure it'll chose a user ID out of my user ID > range (<1000), messing everything up again.To be honest, using such low IDs was never a good idea and it is now coming home to roost.> > Does anyone have an idea on how to do this better? Maybe I can > configure the range for new user/machine IDs somewhere so it does not > intersect with my user ID range?Use uidNumber and gidNumber attributes and then the idmap_ad winbind backend on the Unix domain member I suggest you create. Rowland