samba - Jan 2025 - odd UID behaviour in Linux hosts connected to Samba AD

On Thu, 16 Jan 2025 14:16:45 +0100 (CET)
vincent at cojot.name wrote:
> 
> Hi Rowland,
> 
> Thank you very much for the quick answer.
> 
> >> Right after booting a fileserver, I can 'id' a local user
just fine
> >> and it's properly showing the local Linux groups:
> >
> > Please define 'local user', if it is a user that is in
/etc/passwd
> > AND in AD, you are doing it wrong.
> 
> Yes, I have those local users both in /etc/passwd and AD (in case AD
> is down). I had no idea it would be wrong.
> 
> >> # grep winbind /etc/nsswitch.conf
> >> passwd:     db files winbind systemd
> >> group:      db files winbind systemd
> >
> > Hmm, what is the 'db' ?
> 
> It's auto-constructed from NSS information. I thought it was pretty
> common usage. Rmoving it does not make a difference, btw.. db is
> supposed to provide faster lokups, even locally.
> 
> >> winbind nss info = rfc2307
> >
> > That line is no longer required.
> 
> Ok, thank you, will get rid of it.
> 
> >> min domain uid = 1000
> >> idmap config * : backend = tdb
> >> idmap config * : range = 2000000-2999999
> >
> > I wish redhat would stop telling people to put the default domain
> > above the main domain and 999999 IDs is a bit much for the default
> > domain, something that is meant for the Well Known SIDs (there are
> > less than 200 of those) and anything outside the main domain (so
> > really '0').
> 
> I do no think it was a Red Hat thing.. It was probably me searching
> the internet for answers. Do you think I should get rid of the
> 'idmap config * ..' lines completely? Do you have a suggestion
there?
> I'm happy to drop the ranges to something much more narrow.
> 
> > I take it you have added rfc2307 attributes to AD.
> 
> I did, yes, back when I created this two-VM Samba AD/DC setup (4.8.z 
> times, I think)
> 
> > Thing is, you shouldn't have local users and AD users with the
same
> > name.
> 
> They don't only share the name, the also shared the UID and GUI
> (through rfc2307 attributes ).
> 
> >> the UID and GID in AD are coming from uidNumber and gidNumber
> >> which I have configured to match those of the local user.
> >
> > Yes, it really sounds like you are doing it wrong.
> 
> I understand that now from what you said.. so doing it right is using
> only local users or AD and keeping both separate? then if AD is down
> or DNS is down, nobody can login, right? (unless the offline logins
> work).
> 
> > Let me give you an example on my domain:
> >
> > rowland at devstation:~$ grep 'rowland' /etc/passwd
> > rowland at devstation:~$
> >
> > I am not in /etc/passwd, I am not a 'local user', so why does
this
> > work:
> >
> > rowland at devstation:~$ id rowland
> > uid=11104(rowland) gid=10513(domain users) groups=10513(domain
> > users),102(netdev),1001(unixtest),11104(rowland),10512(domain
> > admins),12605(testgroup),10571(allowed rodc password replication
> > group),10572(denied rodc password replication
> > group),2001(BUILTIN\users),2000(BUILTIN\administrators)
> >
> > It works because (using idmap_rid) winbind makes me a Unix user.
> 
> Oh, I see. But 'rid' is Random ID, right? so the UID of the AD user
> on the Linux system can not be predicted, only determined after the
> fact, right? and then it properly functions with /etc/group, right?
> 
> > You can add AD users to local Unix groups, but a better way would
> > be to create groups in AD instead (not system groups, the ones with
> > an ID less than 1000)
> 
> Do you mean actual AD groups? can AD groups had a gidNumber in
> rfc2307 attributes for mapping to a pre-defined UNIX group? I'm not
> super familiar with AD groups... Can samba-tool be used to create
> them as well?
> 
> >> Am I doing something totally wrong here?
> >
> > It sounds like it.
> 
> I thought so, thanks for confirming.
> 
> > Do you really need the rfc2307 attributes ?
> > Samba can map AD users to Unix IDs without them and Windows never
> > uses them.
> 
> so that would be the 'rid' backend, right?
> 
> Thank you for this detailed reply, much appreciated. AD is one of the 
> areas that I never fully researched properly and was just happy to be
> a freeloader..
> 
> Vincent
Try reading these:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba

https://wiki.samba.org/index.php/Idmap_config_rid

You need to configure the default domain '*' and your AD domain as
shown on the 'Idmap_config_rid' wiki page. 'rid' does not mean
'Random
ID', it is a way of mapping the accounts Windows RID (which is always
unique in the domain) to a Unix ID, it does this by calculating the ID
with this formula:

ID = RID - BASE_RID + LOW_RANGE_ID

The 'BASE_RID' defaults to '0' unless it set differently in the
smb.conf file.

The 'LOW_RANGE_ID' is what you set in the smb.conf file, so from the
wiki example above, it could be '10000'

This means that the formula, with a user with the RID '1104', could be
written like this:

ID = 1104 + 10000

Or

ID = 11104

Provided you use the same 'idmap config' lines on all Unix domain
members, you will always get the same ID for users and groups. The only
place you cannot use the 'idmap config' lines is on a DC.

The other thing you need to do, forget most of what you know. The main
reason for AD is a single of point of maintenance (even if there are
multiple DCs, they all hold the same information), you create users &
groups in one place (the DCs) and never directly on the Unix domain
members, you only create local system users & groups (the ones with an
ID less than 1000) on the Unix computer.
 
You are probably thinking 'but what about ?', so please ask
about anything that you have doubts about, I would rather answer such
questions now instead of trying to help you fix things later :-)

Rowland

It took me a few hours to put these together, hopefully is useful to you:

http://samba.bigbird.es/doku.php?id=samba:idmap-backends

http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307

http://samba.bigbird.es/doku.php?id=samba:more-idmapping-notes

On 16 Jan 2025 at 14:45 +0000, Rowland Penny via samba <samba at
lists.samba.org>, wrote:
> On Thu, 16 Jan 2025 14:16:45 +0100 (CET)
> vincent at cojot.name wrote:
>
> >
> > Hi Rowland,
> >
> > Thank you very much for the quick answer.
> >
> > > > Right after booting a fileserver, I can 'id' a local
user just fine
> > > > and it's properly showing the local Linux groups:
> > >
> > > Please define 'local user', if it is a user that is in
/etc/passwd
> > > AND in AD, you are doing it wrong.
> >
> > Yes, I have those local users both in /etc/passwd and AD (in case AD
> > is down). I had no idea it would be wrong.
> >
> > > > # grep winbind /etc/nsswitch.conf
> > > > passwd: db files winbind systemd
> > > > group: db files winbind systemd
> > >
> > > Hmm, what is the 'db' ?
> >
> > It's auto-constructed from NSS information. I thought it was
pretty
> > common usage. Rmoving it does not make a difference, btw.. db is
> > supposed to provide faster lokups, even locally.
> >
> > > > winbind nss info = rfc2307
> > >
> > > That line is no longer required.
> >
> > Ok, thank you, will get rid of it.
> >
> > > > min domain uid = 1000
> > > > idmap config * : backend = tdb
> > > > idmap config * : range = 2000000-2999999
> > >
> > > I wish redhat would stop telling people to put the default domain
> > > above the main domain and 999999 IDs is a bit much for the
default
> > > domain, something that is meant for the Well Known SIDs (there
are
> > > less than 200 of those) and anything outside the main domain (so
> > > really '0').
> >
> > I do no think it was a Red Hat thing.. It was probably me searching
> > the internet for answers. Do you think I should get rid of the
> > 'idmap config * ..' lines completely? Do you have a suggestion
there?
> > I'm happy to drop the ranges to something much more narrow.
> >
> > > I take it you have added rfc2307 attributes to AD.
> >
> > I did, yes, back when I created this two-VM Samba AD/DC setup (4.8.z
> > times, I think)
> >
> > > Thing is, you shouldn't have local users and AD users with
the same
> > > name.
> >
> > They don't only share the name, the also shared the UID and GUI
> > (through rfc2307 attributes ).
> >
> > > > the UID and GID in AD are coming from uidNumber and
gidNumber
> > > > which I have configured to match those of the local user.
> > >
> > > Yes, it really sounds like you are doing it wrong.
> >
> > I understand that now from what you said.. so doing it right is using
> > only local users or AD and keeping both separate? then if AD is down
> > or DNS is down, nobody can login, right? (unless the offline logins
> > work).
> >
> > > Let me give you an example on my domain:
> > >
> > > rowland at devstation:~$ grep 'rowland' /etc/passwd
> > > rowland at devstation:~$
> > >
> > > I am not in /etc/passwd, I am not a 'local user', so why
does this
> > > work:
> > >
> > > rowland at devstation:~$ id rowland
> > > uid=11104(rowland) gid=10513(domain users) groups=10513(domain
> > > users),102(netdev),1001(unixtest),11104(rowland),10512(domain
> > > admins),12605(testgroup),10571(allowed rodc password replication
> > > group),10572(denied rodc password replication
> > > group),2001(BUILTIN\users),2000(BUILTIN\administrators)
> > >
> > > It works because (using idmap_rid) winbind makes me a Unix user.
> >
> > Oh, I see. But 'rid' is Random ID, right? so the UID of the AD
user
> > on the Linux system can not be predicted, only determined after the
> > fact, right? and then it properly functions with /etc/group, right?
> >
> > > You can add AD users to local Unix groups, but a better way would
> > > be to create groups in AD instead (not system groups, the ones
with
> > > an ID less than 1000)
> >
> > Do you mean actual AD groups? can AD groups had a gidNumber in
> > rfc2307 attributes for mapping to a pre-defined UNIX group? I'm
not
> > super familiar with AD groups... Can samba-tool be used to create
> > them as well?
> >
> > > > Am I doing something totally wrong here?
> > >
> > > It sounds like it.
> >
> > I thought so, thanks for confirming.
> >
> > > Do you really need the rfc2307 attributes ?
> > > Samba can map AD users to Unix IDs without them and Windows never
> > > uses them.
> >
> > so that would be the 'rid' backend, right?
> >
> > Thank you for this detailed reply, much appreciated. AD is one of the
> > areas that I never fully researched properly and was just happy to be
> > a freeloader..
> >
> > Vincent
>
> Try reading these:
>
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_Samba
>
> https://wiki.samba.org/index.php/Idmap_config_rid
>
> You need to configure the default domain '*' and your AD domain as
> shown on the 'Idmap_config_rid' wiki page. 'rid' does not
mean 'Random
> ID', it is a way of mapping the accounts Windows RID (which is always
> unique in the domain) to a Unix ID, it does this by calculating the ID
> with this formula:
>
> ID = RID - BASE_RID + LOW_RANGE_ID
>
> The 'BASE_RID' defaults to '0' unless it set differently in
the
> smb.conf file.
>
> The 'LOW_RANGE_ID' is what you set in the smb.conf file, so from
the
> wiki example above, it could be '10000'
>
> This means that the formula, with a user with the RID '1104', could
be
> written like this:
>
> ID = 1104 + 10000
>
> Or
>
> ID = 11104
>
> Provided you use the same 'idmap config' lines on all Unix domain
> members, you will always get the same ID for users and groups. The only
> place you cannot use the 'idmap config' lines is on a DC.
>
> The other thing you need to do, forget most of what you know. The main
> reason for AD is a single of point of maintenance (even if there are
> multiple DCs, they all hold the same information), you create users &
> groups in one place (the DCs) and never directly on the Unix domain
> members, you only create local system users & groups (the ones with an
> ID less than 1000) on the Unix computer.
>
> You are probably thinking 'but what about ?', so please ask
> about anything that you have doubts about, I would rather answer such
> questions now instead of trying to help you fix things later :-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

Hi again Rowland and Luis,

First, thank you very much for jumping to my rescue and explaining what I 
got wrong about my Samba usage.

This brought another question: Could I perhaps use the Samba 'rid'
backend
so that Windows users get unique UIDs on Linux boxes - different from the 
Linux UIDs - and then make use of usermap to map them to the proper local 
Linux user?
Would that work? Would that work for files being served as well?

Thanks,

Vincent