samba-tool

[Rowland Penny]

On 09/10/13 20:41, Andrew Bartlett wrote:
> On Wed, 2013-10-09 at 10:01 +0100, Rowland Penny wrote:
>> On 09/10/13 03:56, Andrew Bartlett wrote:
>>> On Sun, 2013-10-06 at 14:16 +0100, Rowland Penny wrote:
>>>
>>>> You then need to add the following ldif.
>>>>
>>>> dn: CN=<username>,CN=Users,DC=example,DC=com
>>>> changetype: modify
>>>> add: msSFU30NisDomain
>>>> msSFU30NisDomain: <your domain>
>>>> -
>>>> add: msSFU30Name
>>>> msSFU30Name: <username>
>>>> -
>>>> add: description
>>>> description: A UNIX user
>>>>
>>>> Once the user is created, 'msSFU30MaxUidNumber' needs to be updated to
>>>> the next number.
>>>>
>>>> Now, having shown how it can be done at the moment, I think that
>>>> samba-tool should be altered to match the way that windows ADUC works
>>>> i.e. change '--uid-number=UID_NUMBER' to a switch 'with-uidNumber', this
>>>> switch would then get the required uidNumber from  'msSFU30MaxUidNumber'
>>>> and add this, along with the required Unix attributes to the user, then
>>>> update 'msSFU30MaxUidNumber'.
>>>>
>>>> Please do not suggest that I do this myself, because to me, python is a
>>>> type of snake ;-)
>>> The issue is that msSFU30MaxUidNumber is not magic in any way in AD, and
>>> so if two scripts or users operate at different ends of the company at
>>> the same time, nothing will prevent allocation of duplicate UID values.
>> ER, what happened to samba4 behaving just like windows,
>> msSFU30MaxUidNumber is not something I came up with, it is something
>> Microsoft did and it is used by ADUC.
>>
>>
>>> ID mapping is hard.
>> Your not kidding, and it is not helped by everybody doing something
>> different, there needs to be a standard.
>>
>>>    
>>>
>>> The best solution I've seen, but we still have not implemented is to use
>>> trustPosixOffset on each trusted domain, which is allocated on the
>>> naming master (in Windows AD, Samba doesn't know about it yet), and so
>>> would be unique we combined with an enhanced idmap_rid.
>> Now I know nothing, but I think that Microsoft expects
>> msSFU30MaxUidNumber to be used with msSFU30NisDomain to give an unique
>> name/number.
> Sadly no constraints are implemented on the AD side to ensure this.  It
> is entirely up to the administrator to ensure the dangerous situation
> with duplicate UID or GID values does not happen.
Yes but this is the way windows works
>
> The issue with putting this behaviour in samba-tool is that samba-tool
> is often scripted, while the GUI not prone to this issue.  Scripted
> tools are much more prone to races, and so we must be even more
> circumspect with regards to duplicate allocations.
Wow, have you never googled on msSFU30MaxUidNumber and powershell, c#, 
vbscript et al, there are loads of entries. Also I think that you have 
more chance of getting duplicate allocations if you have to remember 
what last uidNumber you used.

Rowland

>
>> I also personally think that idmap_rid should be put out to
>> pasture and only idmap_ad used. This would then pull the info from the
>> AD database, be this a windows server or a samba 4 one.
> There are a number of issues here.  idmap_rid allows us to allocate a
> UID and GID a SID, in an automatic and safe manner (provided they are in
> particular ranges).
>
> If we use idmap_ad, we have no method to implement IDMAP_BOTH at the
> moment, because we read uidNumber as only a UID and gidNumber as only a
> GID.  This creates issues when groups start to own files, or when users
> become SIDs in a sidHistory attribute.
>
> Andrew Bartlett
>