samba - Jul 2024 - Quick questions about uid, gid, uidNumber, gidNumber

Hi.

I'm trying to fix a mistake I made: I installed an AD-DC, with the
functions of a file server.

To solve this problem, I installed a new Samba in a Ubuntu box and
configured it as defined in
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. This
would work as a file server. However, I now understand (a little more) the
confusion among all these attributes like uid, gid, uidNumber, gidNumber.

I cannot simply discard all the old attributes given to users and groups
since they were used in the permissions of the unix file structure used in
the  shares, since there are sort of a million of files and folders, whose
permissions were defined using acl's.

On the other hand, I feel insecure to simply remove all idmap attributes of
the smb.conf in AD. I'm afraid this could disrupt the whole thing (despite
all the trouble the system is running!).

So the question is what is the best approach to solve this mess. I envisage
two possible solutions, both beginning with the configuration of the file
server with "idmap config <domain> : backend = ad":

1. keep this same AD I have, editing the smb.conf without the risk of
wreaking havoc on the whole thing.

2. installing a new AD but I'm not sure I could use the same uid's and
gid's I have now, using them to configure the attributes uidNumber and
gidNumber. The biggest problem I see is that I already have uid's in the
range 3000000-3999999 and I'm not sure if I can establish a new range for
the AD like 3100000-3999999, so that I can keep the old ones.

Thanks for any help.

Ricardo

On Tue, 9 Jul 2024 13:02:54 -0300
Ricardo Campos via samba <samba at lists.samba.org> wrote:
> Hi.
> 
> I'm trying to fix a mistake I made: I installed an AD-DC, with the
> functions of a file server.
> 
> To solve this problem, I installed a new Samba in a Ubuntu box and
> configured it as defined in
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
> This would work as a file server. However, I now understand (a little
> more) the confusion among all these attributes like uid, gid,
> uidNumber, gidNumber.
You do have a problem, there isn't an AD attribute called 'gid' and
the
'uid' attribute expects a name.
> 
> I cannot simply discard all the old attributes given to users and
> groups since they were used in the permissions of the unix file
> structure used in the  shares, since there are sort of a million of
> files and folders, whose permissions were defined using acl's.
> 
> On the other hand, I feel insecure to simply remove all idmap
> attributes of the smb.conf in AD. I'm afraid this could disrupt the
> whole thing (despite all the trouble the system is running!).
> 
> So the question is what is the best approach to solve this mess. I
> envisage two possible solutions, both beginning with the
> configuration of the file server with "idmap config <domain> :
> backend = ad":
> 
> 1. keep this same AD I have, editing the smb.conf without the risk of
> wreaking havoc on the whole thing.
> 
> 2. installing a new AD but I'm not sure I could use the same uid's
and
> gid's I have now, using them to configure the attributes uidNumber and
> gidNumber. The biggest problem I see is that I already have uid's in
> the range 3000000-3999999 
Where are these IDs in the '30000000' coming from ? 
Did you create them ?
I think your first thing to understand is that Unix IDs are often
referred to as uid & gid numbers, but in AD there are the uidNumber &
gidNumber attributes, whilst they ultimately end up doing the same
thing, they are different. 
> and I'm not sure if I can establish a new
> range for the AD like 3100000-3999999, so that I can keep the old
> ones.
> 
> Thanks for any help.
> 
> Ricardo
I think your best plan is to start again, but first get your head
around Samba AD idmapping, do you really need to use the rfc2307
attributes ? If not (and in my opinion you only need them if you need
the unixHomeDirectory & loginShell attributes) then use the 'rid'
idmap
backend and allow Samba to set the user & group IDs from the objects
RID.

It might help if you post the smb.conf files from the DC and Unix
domain member.

Rowland

Hola Ricardo.

Try

http://samba.bigbird.es/doku.php?id=samba:idmap-backends

And this

http://samba.bigbird.es/doku.php?id=samba:more-idmapping-notes

Hope this helps. Saludos.

LP
On 9 Jul 2024 at 17:03 +0100, Ricardo Campos via samba <samba at
lists.samba.org>, wrote:
> Hi.
>
> I'm trying to fix a mistake I made: I installed an AD-DC, with the
> functions of a file server.
>
> To solve this problem, I installed a new Samba in a Ubuntu box and
> configured it as defined in
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. This
> would work as a file server. However, I now understand (a little more) the
> confusion among all these attributes like uid, gid, uidNumber, gidNumber.
>
> I cannot simply discard all the old attributes given to users and groups
> since they were used in the permissions of the unix file structure used in
> the shares, since there are sort of a million of files and folders, whose
> permissions were defined using acl's.
>
> On the other hand, I feel insecure to simply remove all idmap attributes of
> the smb.conf in AD. I'm afraid this could disrupt the whole thing
(despite
> all the trouble the system is running!).
>
> So the question is what is the best approach to solve this mess. I envisage
> two possible solutions, both beginning with the configuration of the file
> server with "idmap config <domain> : backend = ad":
>
> 1. keep this same AD I have, editing the smb.conf without the risk of
> wreaking havoc on the whole thing.
>
> 2. installing a new AD but I'm not sure I could use the same uid's
and
> gid's I have now, using them to configure the attributes uidNumber and
> gidNumber. The biggest problem I see is that I already have uid's in
the
> range 3000000-3999999 and I'm not sure if I can establish a new range
for
> the AD like 3100000-3999999, so that I can keep the old ones.
>
> Thanks for any help.
>
> Ricardo
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba