Ricardo Campos
2024-Jul-09 16:02 UTC
[Samba] Quick questions about uid, gid, uidNumber, gidNumber
Hi. I'm trying to fix a mistake I made: I installed an AD-DC, with the functions of a file server. To solve this problem, I installed a new Samba in a Ubuntu box and configured it as defined in https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. This would work as a file server. However, I now understand (a little more) the confusion among all these attributes like uid, gid, uidNumber, gidNumber. I cannot simply discard all the old attributes given to users and groups since they were used in the permissions of the unix file structure used in the shares, since there are sort of a million of files and folders, whose permissions were defined using acl's. On the other hand, I feel insecure to simply remove all idmap attributes of the smb.conf in AD. I'm afraid this could disrupt the whole thing (despite all the trouble the system is running!). So the question is what is the best approach to solve this mess. I envisage two possible solutions, both beginning with the configuration of the file server with "idmap config <domain> : backend = ad": 1. keep this same AD I have, editing the smb.conf without the risk of wreaking havoc on the whole thing. 2. installing a new AD but I'm not sure I could use the same uid's and gid's I have now, using them to configure the attributes uidNumber and gidNumber. The biggest problem I see is that I already have uid's in the range 3000000-3999999 and I'm not sure if I can establish a new range for the AD like 3100000-3999999, so that I can keep the old ones. Thanks for any help. Ricardo
Rowland Penny
2024-Jul-09 16:52 UTC
[Samba] Quick questions about uid, gid, uidNumber, gidNumber
On Tue, 9 Jul 2024 13:02:54 -0300 Ricardo Campos via samba <samba at lists.samba.org> wrote:> Hi. > > I'm trying to fix a mistake I made: I installed an AD-DC, with the > functions of a file server. > > To solve this problem, I installed a new Samba in a Ubuntu box and > configured it as defined in > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. > This would work as a file server. However, I now understand (a little > more) the confusion among all these attributes like uid, gid, > uidNumber, gidNumber.You do have a problem, there isn't an AD attribute called 'gid' and the 'uid' attribute expects a name.> > I cannot simply discard all the old attributes given to users and > groups since they were used in the permissions of the unix file > structure used in the shares, since there are sort of a million of > files and folders, whose permissions were defined using acl's. > > On the other hand, I feel insecure to simply remove all idmap > attributes of the smb.conf in AD. I'm afraid this could disrupt the > whole thing (despite all the trouble the system is running!). > > So the question is what is the best approach to solve this mess. I > envisage two possible solutions, both beginning with the > configuration of the file server with "idmap config <domain> : > backend = ad": > > 1. keep this same AD I have, editing the smb.conf without the risk of > wreaking havoc on the whole thing. > > 2. installing a new AD but I'm not sure I could use the same uid's and > gid's I have now, using them to configure the attributes uidNumber and > gidNumber. The biggest problem I see is that I already have uid's in > the range 3000000-3999999Where are these IDs in the '30000000' coming from ? Did you create them ? I think your first thing to understand is that Unix IDs are often referred to as uid & gid numbers, but in AD there are the uidNumber & gidNumber attributes, whilst they ultimately end up doing the same thing, they are different.> and I'm not sure if I can establish a new > range for the AD like 3100000-3999999, so that I can keep the old > ones. > > Thanks for any help. > > RicardoI think your best plan is to start again, but first get your head around Samba AD idmapping, do you really need to use the rfc2307 attributes ? If not (and in my opinion you only need them if you need the unixHomeDirectory & loginShell attributes) then use the 'rid' idmap backend and allow Samba to set the user & group IDs from the objects RID. It might help if you post the smb.conf files from the DC and Unix domain member. Rowland
Luis Peromarta
2024-Jul-09 17:47 UTC
[Samba] Quick questions about uid, gid, uidNumber, gidNumber
Hola Ricardo. Try http://samba.bigbird.es/doku.php?id=samba:idmap-backends And this http://samba.bigbird.es/doku.php?id=samba:more-idmapping-notes Hope this helps. Saludos. LP On 9 Jul 2024 at 17:03 +0100, Ricardo Campos via samba <samba at lists.samba.org>, wrote:> Hi. > > I'm trying to fix a mistake I made: I installed an AD-DC, with the > functions of a file server. > > To solve this problem, I installed a new Samba in a Ubuntu box and > configured it as defined in > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. This > would work as a file server. However, I now understand (a little more) the > confusion among all these attributes like uid, gid, uidNumber, gidNumber. > > I cannot simply discard all the old attributes given to users and groups > since they were used in the permissions of the unix file structure used in > the shares, since there are sort of a million of files and folders, whose > permissions were defined using acl's. > > On the other hand, I feel insecure to simply remove all idmap attributes of > the smb.conf in AD. I'm afraid this could disrupt the whole thing (despite > all the trouble the system is running!). > > So the question is what is the best approach to solve this mess. I envisage > two possible solutions, both beginning with the configuration of the file > server with "idmap config <domain> : backend = ad": > > 1. keep this same AD I have, editing the smb.conf without the risk of > wreaking havoc on the whole thing. > > 2. installing a new AD but I'm not sure I could use the same uid's and > gid's I have now, using them to configure the attributes uidNumber and > gidNumber. The biggest problem I see is that I already have uid's in the > range 3000000-3999999 and I'm not sure if I can establish a new range for > the AD like 3100000-3999999, so that I can keep the old ones. > > Thanks for any help. > > Ricardo > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- [RFC] migrating LLVM to C++14
- uid and gid from unix to unix
- Retrieving UNIX UID/GID directly through Active Directory
- Control statements with condition with greater than one should give error (not just warning) [PATCH]
- Control statements with condition with greater than one should give error (not just warning) [PATCH]