samba-tool

[Andrew Bartlett]

On Wed, 2013-10-09 at 10:01 +0100, Rowland Penny wrote:
> On 09/10/13 03:56, Andrew Bartlett wrote:
> > On Sun, 2013-10-06 at 14:16 +0100, Rowland Penny wrote:
> >
> >> You then need to add the following ldif.
> >>
> >> dn: CN=<username>,CN=Users,DC=example,DC=com
> >> changetype: modify
> >> add: msSFU30NisDomain
> >> msSFU30NisDomain: <your domain>
> >> -
> >> add: msSFU30Name
> >> msSFU30Name: <username>
> >> -
> >> add: description
> >> description: A UNIX user
> >>
> >> Once the user is created, 'msSFU30MaxUidNumber' needs to be updated to
> >> the next number.
> >>
> >> Now, having shown how it can be done at the moment, I think that
> >> samba-tool should be altered to match the way that windows ADUC works
> >> i.e. change '--uid-number=UID_NUMBER' to a switch 'with-uidNumber', this
> >> switch would then get the required uidNumber from  'msSFU30MaxUidNumber'
> >> and add this, along with the required Unix attributes to the user, then
> >> update 'msSFU30MaxUidNumber'.
> >>
> >> Please do not suggest that I do this myself, because to me, python is a
> >> type of snake ;-)
> > The issue is that msSFU30MaxUidNumber is not magic in any way in AD, and
> > so if two scripts or users operate at different ends of the company at
> > the same time, nothing will prevent allocation of duplicate UID values.
> ER, what happened to samba4 behaving just like windows, 
> msSFU30MaxUidNumber is not something I came up with, it is something 
> Microsoft did and it is used by ADUC.
> 
> 
> >
> > ID mapping is hard.
> Your not kidding, and it is not helped by everybody doing something 
> different, there needs to be a standard.
> 
> >   
> >
> > The best solution I've seen, but we still have not implemented is to use
> > trustPosixOffset on each trusted domain, which is allocated on the
> > naming master (in Windows AD, Samba doesn't know about it yet), and so
> > would be unique we combined with an enhanced idmap_rid.
> Now I know nothing, but I think that Microsoft expects 
> msSFU30MaxUidNumber to be used with msSFU30NisDomain to give an unique 
> name/number. 

Sadly no constraints are implemented on the AD side to ensure this.  It
is entirely up to the administrator to ensure the dangerous situation
with duplicate UID or GID values does not happen. 

The issue with putting this behaviour in samba-tool is that samba-tool
is often scripted, while the GUI not prone to this issue.  Scripted
tools are much more prone to races, and so we must be even more
circumspect with regards to duplicate allocations. 

> I also personally think that idmap_rid should be put out to 
> pasture and only idmap_ad used. This would then pull the info from the 
> AD database, be this a windows server or a samba 4 one.

There are a number of issues here.  idmap_rid allows us to allocate a
UID and GID a SID, in an automatic and safe manner (provided they are in
particular ranges). 

If we use idmap_ad, we have no method to implement IDMAP_BOTH at the
moment, because we read uidNumber as only a UID and gidNumber as only a
GID.  This creates issues when groups start to own files, or when users
become SIDs in a sidHistory attribute. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org