wellknown and uid/gid interactions on multi DC samba AD domain

Daniele Dario d.dario76 at gmail.com
Wed May 14 04:23:51 MDT 2014 


On mar, 2014-05-13 at 17:45 +0200, steve wrote:
> On Tue, 2014-05-13 at 17:14 +0200, Daniele Dario wrote:
> > Hi Steve,
> > 
> > On mar, 2014-05-13 at 16:48 +0200, steve wrote:
> > > On Tue, 2014-05-13 at 16:21 +0200, Daniele Dario wrote:
> > > 
> > > > Now I'd try again so can somebody address me on the right way to proceed
> > > > or suggest alternative ways to backup data?
> > > > 
> > > > Which would be the objects to "posixify"?
> > > Add uidNumber and gidNumber to all your users. Add gidNumber to Domain
> > > Users and any other domain groups that your users are members of. There
> > > is no need to add posixAccount or posixGroup classes unless you need
> > > them.
> > > 
> > > > Only users/groups I created on the domain?
> > > No.
> > > 
> > > > Also machine accounts have to be posixified?
> > > No.
> > > 
> > > > Is there a way to be sure to avoid overlappings?
> > > Yes. Do:
> > > getent passwd 
> > > look at the highest uid you get. Here, I'm 1000:
> > > steve:x:1000:100::/home/steve:/bin/bash
> > > 
> > > The AD uids start at 10000 for 2307 schema setups where you provisioned with --use-rfc2307. Samba4 map from 3000000 upwards. We use the latter range for our user uidNumbers.
> > > For groups, choose a gidNumber which helps with recognition. We use 20513 for Domain Users for example.
> > > 
> > > If you add local users to any DC, make sure that you allocate a uid below either 10000 or 3000000.
> > > Good luck this time around
> > > Steve
> > > 
> > > 
> > 
> > thanks for the tips.
> > Can you please clarify what does "add uidNumber and gidNumber" ...?
> > How do I do that? Is there a specific command (samba-tool or something
> > like that) or do I use ldbmodify? Where can I find some example?
> 
> You can use the UNIX tab in ADUC, ldbmodify or ldbedit.
> ldbmodify is quicker once you have a template ldif and it works for
> groups too. If you have only a few users, go for ldbedit. You can choose
> your own editor too if you don't like vi. Oh and DON'T edit or add to
> entries directly. Point the edits at sam.ldb
> 
> > 
> > Than can you make an example for uids having this from getent passwd
> > 
> > myadmin:x:1000:1000:myadmin,,,:/home/myadmin:/bin/bash
> > ...
> > SAITEL\Administrator:*:0:100::/home/SAITEL/Administrator:/bin/bash
> > SAITEL\Guest:*:3000002:3000003::/home/SAITEL/Guest:/bin/bash
> > SAITEL\krbtgt:*:3000027:100::/home/SAITEL/krbtgt:/bin/bash
> > 
> Assuming that these are the values that you have added to the directory
> yourself then this looks fine except that I wouldn't want a windows
> domain administrator having root access on my DC!
> 
> If these are winbind mappings then you'll have to add them as uidNumber
> and gidNumber yourself. Retain the numbers.
> 
> > and getent groups
> > 
> > myadmin:x:1000:
> > ...
> > SAITEL\Enterprise Read-Only Domain Controllers:*:3000042:
> > SAITEL\Domain Admins:*:3000011:
> > SAITEL\Domain Users:*:100:
> > 
> Yeah. Also OK. I'd move Domain Users away from 100. Again, it looks as
> though these are winbind mappings. Add them to the groups as gidNumber.
> 
> > Thanks for your kind help,
> > Daniele.
> > 
> 
> 
Hello Steve,
thanks for you help.

I added to all groups listed with getent group | grep SAITEL the
gidNumber: nnnn (except for Domain Controllers because it seems to be a
container and not a group am I right?).
Than I also updated all my users with uidNumber and gidNumber (I added
only the gidNumber of Domain Users to every account).

Now as you said the uids/gids are the same on the 2 DCs so again thanks.

I have a question about the sysvol: I noticed that the group of the
sysvol folder is different on the two DCs.
On the 1st DC (4.1.0):
[root at kdc01:locks]# ls -n sysvol/
total 8
drwxrwx---+ 4 0 4 4096 Sep 24  2012 saitel.loc

On the 2nd DC (4.1.7):
[root at kdc03:locks]# ls -n sysvol/
total 8
drwxrwx---+ 4 0 3000000 4096 May  8 16:18 saitel.loc

[root at kdc03:locks]# wbinfo -G 3000000
S-1-5-32-544
[root at kdc03:locks]# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4

If I read it correctly BUILTIN\Administrators should be mapped as 4 so
same as on the other one.

Did I forgot something?

Regards,
Daniele.

More information about the samba-technical mailing list