[Samba] rfc2307 deprecated in Windows 2012 R2?

Hans-Kristian Bakke hkbakke at gmail.com
Fri Jan 30 09:20:33 MST 2015 

I do not understand the point about issues with administrator beeing
mapped to a "random" rfc2307 UID. You need to explain the details
surrounding that part to me as my experience is that this is OK and
even necessary.

The only reason for not giving Administrator a "random" UID/GID that I
can think of is perhaps if you are doing some mapping of Administrator
to root, something which I am personally strongly against as they are
_not_ the same users from any central authentication point of view. It
is just a hack for people that are doing the mistake of actually using
the administrator account for linux administration, when it shouldn't
really be used for anything at all, even on windows boxes, as you of
should be adding dedicated admin accounts for each admin.

The script only gives users and groups that are non-local (i.e domain
users that would actually be used for logins with non-zero SIDs)
uid/gids. Administrator is one of them and giving it an UID of
300500/whatever is absolutely correct and necessary if administrator
is going to be able to login to the linux boxes like everybody else.
>From a linux box's view in a Windows DC domain administrator is no
different from other users. Add your admin group to sudoers and ssh
allowgroups and you are done. This works beatifully in several well
tested and abused production systems, also with ACLs with
administrator added.

--
Hans-Kristian

On 30 January 2015 at 11:01, Rowland Penny <rowlandpenny at googlemail.com> wrote:
> On 29/01/15 22:56, Hans-Kristian Bakke wrote:
>>
>> Something went wrong and the message got sent before it was finished.
>> Here is the complete one:
>>
>> Ok, it's here: http://pastebin.com/JEnr5wUq
>>
>> The id_offset is that value because i initially didn't use rfc2307
>> attributes, but instead had
>>
>> idmap config EXAMPLE : range = 300000-499999
>>
>> in smb.conf.
>>
>> To get identical uid/gids have to start with the same offset. If you
>> have a fresh domain and just starting with AD-integration on your
>> linux-boxes you can just pull out the logic for generating winbind
>> compatible uids/gids.
>>
>> -
>> Regards,
>>
>> Hans-Kristian
>>
>>
>> On 29 January 2015 at 23:53, Hans-Kristian Bakke <hkbakke at gmail.com>
>> wrote:
>>>
>>> Ok, it's here: http://pastebin.com/JEnr5wUq
>>>
>>> The id_offset is that value because i initially didn't use rfc2307
>>> attributes, but instead
>>>
>>>
>>> On 29 January 2015 at 23:27, Tim <lists at kiuni.de> wrote:
>>>>
>>>> @Hans-Kristian:
>>>> I'd like to see it. How did you automate this?
>>>>
>>>> @Andrew:
>>>> In another thread I suggested to set the rfc2307 info automatically when
>>>> a
>>>> domain is provisioned with --use-rfc2307. Possibly by an additional
>>>> parameter.
>>>> This would make things easier in my eyes.
>>>>
>>>> Thanks
>>>> Tim
>>>>
>>>> Am 29. Januar 2015 22:02:14 MEZ, schrieb Hans-Kristian Bakke
>>>> <hkbakke at gmail.com>:
>>>>>
>>>>> It is actually rather easy to set the attributes via powershell, and
>>>>> that is probably the best way to add them in a Server 2012 R2
>>>>> environment.
>>>>>
>>>>> I wrote a powershell script to do this automatically for users and
>>>>> groups in an entire domain that should be pretty generic to be reused.
>>>>> It also mirrors the logic used in automatic winbind UID/GID generation
>>>>> to be able to coexist in an environment where not all hosts are
>>>>> migrated to rfc2307 yet. If you want it I can give it to you, but as
>>>>> you proably would want to write your own powershell-script you would
>>>>> set properties for users and groups using these two cmdlets and some
>>>>> foreach-logic looping over your search bases, users and groups:
>>>>>
>>>>> Set-ADUser -Identity $username -Replace
>>>>>
>>>>>
>>>>> @{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell}
>>>>>
>>>>> Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid}
>>>>>
>>>>> On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de> wrote:
>>>>>>
>>>>>>   Am 29.01.2015 um 21:12 schrieb Tim:
>>>>>>>
>>>>>>>
>>>>>>>   But if they take it away how to set them in future?
>>>>>>
>>>>>>
>>>>>>
>>>>>>   If you need NIS, you probably have POSIX systems attached. So you
>>>>>> can
>>>>>> always
>>>>>>   set RFC2307 attributes from POSIX systems.
>>>>>>
>>>>>>
>>>>>>>   Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett
>>>>>>>   <abartlet at samba.org>:
>>>>>>>>
>>>>>>>>
>>>>>>>>   On Wed, 2015-01-28 at 17:22 +0100, Tim wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>   I got the chance to test samba 4 with windows 2012 R2 domain
>>>>>>>>>   controller on its highest functional level.
>>>>>>>>>
>>>>>>>>>   Possibly it's important to know that M$ says that the "server for
>>>>>>>>> NIS
>>>>>>>>>   Tools" which are needed to set rfc attributes are deprecated.
>>>>>>>>>   I could install them but I can't choose a NIS domain anymore in
>>>>>>>>> Unix
>>>>>>>>>   attributes.
>>>>>>>>>
>>>>>>>>>   Will we run into problems with samba4? Is it time for thinking
>>>>>>>>> about
>>>>>>>>
>>>>>>>>
>>>>>>>>   a
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>   new idmapping backend? I have an idea for this (based on rid
>>>>>>>>> module)
>>>>>>>>>   but I like to know your thoughts.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>   Even if they take away the admin tools, the schema changes won't
>>>>>>>> go
>>>>>>>>   away, so don't worry.
>>>>>>>>
>>>>>>>>   --
>>>>>>>>   Andrew Bartlett
>>>>>>>>    http://samba.org/~abartlet/
>>>>>>>>   Authentication Developer, Samba Team  http://samba.org
>>>>>>>>   Samba Developer, Catalyst IT
>>>>>>>>   http://catalyst.net.nz/services/samba
>>>>>>
>>>>>>
>>>>>>
>>>>>>   --
>>>>>>   To unsubscribe from this list go to the following URL and read the
>>>>>>   instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> OK, had a quick look through your script and I cannot recommend it, it would
> seem to give Administrator (and everybody else) a 'uidNumber',
> Administrator's 'uidNumber' would be 300500, not a good idea.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list