On Fri, 8 Sep 2023 12:43:13 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
>
>
> The other day you touched an interesting topic along the lines.
>
> I have been assigning the default AD groups (all of them) such as
> 'domain admins' and 'domain users' a gidNumber on my
domains.
>
> I am using rfc2307 everywhere, which is reflected by 'idmap config
> <domain>:backend = ad' and 'idmap config
<domain>:schema_mode =
> rfc2307'? on member-servers.
Which is the only way to get the same IDs everywhere, but do you need
to ?
If you use the 'rid' idmap backend and use the same basic smb.conf file
on all Unix domain members, you will get the same Unix IDs on all, but
it will be different from the 3000000 range xidNumbers found on DCs and
as you are only supposed to use the DCs for authentication, does this
matter ?
What may matter more, are the shell and home directories, but again,
you are more likely to set these on a machine basis anyway.
>
> Until yesterday there was 'idmap_ldb:use rfc2307 = yes' on the DCs,
> but as you correctly pointed out that makes the id resolving
> dependent on the state of winbind's cache and if wrong sysvol is
> broken.
Using 'idmap_ldb:use rfc2307 = yes' on a DC (and you can only use it on
a DC) means that idmap_ldb will use any uidNumber and gidNumber
attributes found in AD. This does not mean that these attributes will
be used on Unix domain members, you would still have to configure the
smb.conf to use them and configure it correctly.
The winbind cache will cache whatever is being used, be that only
xidNumbers, uidNumbers & gidNumbers, or a mixture of the two, it is
also independent of the backend.
> Fortunately I never had that issue but it is very dangerous.
> The option 'idmap_ldb:use rfc2307 = yes' gets added automatically
> when you provision with '--use-rfc2307', so it needs explicit
> removal, good to know, thanks!
I seem to remember that there is a bug report about this, but if you
are using the 'ad' idmap backend on Unix domain members and wish to
have the same IDs everywhere, you need it. The problem starts, if you
have that parameter, and you give all the default Windows users
and groups a Unix ID, most of these users and groups are never used on
Samba, so it doesn't make much sense to give them a Unix ID.
>
> On the DCs (and only there) the default AD groups normally resolve to
> their xidNumber and rightfully so. With backend=ad they will *not*
> resolve to anything on member-servers if gidNumber is not set. That
> in turn is a problem for example with permissions on file-shares (as
> I want to grant permissions to 'domain users'), so I do want those
> groups to resolve to a gid on member-servers.
If you do not use:
idmap config SAMDOM:unix_primary_group = yes
in smb.conf with the 'ad' idmap backend, then you must give Domain
Users a gidNumber and that gidNumber must be inside the DOMAIN range
set in your smb.conf. If you do use that line, then whatever group the
user will use as their primary group must have a gidNumber and the user
must also have the same gidNumber.
>
> At the moment I assign them free gidNumbers from the designated
> range. As a result the gid on member-servers differs from the one
> (xidNumber) on the DCs. I have not had any troubles with that
> difference but I would think it is undesirable.
That would all depend on how Samba is configured.
>
> The easiest way to make them identical would be for Samba to present
> the xidNumbers over the wire to member-servers, but I guess no such
> option exists. Another way of getting it done is for my script to
> lookup gid (xidNumber) on the DC and put it in the gidNumber of that
> group.
The problem is that a DC can only use idmap_ldb (at present, who knows
what could happen in the future ?) and Unix domain members, from the
long list of idmap backends, cannot.
>
> What are your thoughts on this topic? Make them identical, better not
> do that or perhaps it does not matter at all?
As I say above, if all you are using a DC for is authentication, dns
and GPOs, then you do not need to use anything but xidNumbers.
Rowland