wellknown and uid/gid interactions on multi DC samba AD domain

Rowland Penny repenny241155 at gmail.com
Wed May 14 05:32:50 MDT 2014 

On 14/05/14 11:23, Daniele Dario wrote:
>
> On mar, 2014-05-13 at 17:45 +0200, steve wrote:
>> On Tue, 2014-05-13 at 17:14 +0200, Daniele Dario wrote:
>>> Hi Steve,
>>>
>>> On mar, 2014-05-13 at 16:48 +0200, steve wrote:
>>>> On Tue, 2014-05-13 at 16:21 +0200, Daniele Dario wrote:
>>>>
>>>>> Now I'd try again so can somebody address me on the right way to proceed
>>>>> or suggest alternative ways to backup data?
>>>>>
>>>>> Which would be the objects to "posixify"?
>>>> Add uidNumber and gidNumber to all your users. Add gidNumber to Domain
>>>> Users and any other domain groups that your users are members of. There
>>>> is no need to add posixAccount or posixGroup classes unless you need
>>>> them.
>>>>
>>>>> Only users/groups I created on the domain?
>>>> No.
>>>>
>>>>> Also machine accounts have to be posixified?
>>>> No.
>>>>
>>>>> Is there a way to be sure to avoid overlappings?
>>>> Yes. Do:
>>>> getent passwd
>>>> look at the highest uid you get. Here, I'm 1000:
>>>> steve:x:1000:100::/home/steve:/bin/bash
>>>>
>>>> The AD uids start at 10000 for 2307 schema setups where you provisioned with --use-rfc2307. Samba4 map from 3000000 upwards. We use the latter range for our user uidNumbers.
>>>> For groups, choose a gidNumber which helps with recognition. We use 20513 for Domain Users for example.
>>>>
>>>> If you add local users to any DC, make sure that you allocate a uid below either 10000 or 3000000.
>>>> Good luck this time around
>>>> Steve
>>>>
>>>>
>>> thanks for the tips.
>>> Can you please clarify what does "add uidNumber and gidNumber" ...?
>>> How do I do that? Is there a specific command (samba-tool or something
>>> like that) or do I use ldbmodify? Where can I find some example?
>> You can use the UNIX tab in ADUC, ldbmodify or ldbedit.
>> ldbmodify is quicker once you have a template ldif and it works for
>> groups too. If you have only a few users, go for ldbedit. You can choose
>> your own editor too if you don't like vi. Oh and DON'T edit or add to
>> entries directly. Point the edits at sam.ldb
>>
>>> Than can you make an example for uids having this from getent passwd
>>>
>>> myadmin:x:1000:1000:myadmin,,,:/home/myadmin:/bin/bash
>>> ...
>>> SAITEL\Administrator:*:0:100::/home/SAITEL/Administrator:/bin/bash
>>> SAITEL\Guest:*:3000002:3000003::/home/SAITEL/Guest:/bin/bash
>>> SAITEL\krbtgt:*:3000027:100::/home/SAITEL/krbtgt:/bin/bash
>>>
>> Assuming that these are the values that you have added to the directory
>> yourself then this looks fine except that I wouldn't want a windows
>> domain administrator having root access on my DC!
>>
>> If these are winbind mappings then you'll have to add them as uidNumber
>> and gidNumber yourself. Retain the numbers.
>>
>>> and getent groups
>>>
>>> myadmin:x:1000:
>>> ...
>>> SAITEL\Enterprise Read-Only Domain Controllers:*:3000042:
>>> SAITEL\Domain Admins:*:3000011:
>>> SAITEL\Domain Users:*:100:
>>>
>> Yeah. Also OK. I'd move Domain Users away from 100. Again, it looks as
>> though these are winbind mappings. Add them to the groups as gidNumber.
>>
>>> Thanks for your kind help,
>>> Daniele.
>>>
>>
> Hello Steve,
> thanks for you help.
>
> I added to all groups listed with getent group | grep SAITEL the
> gidNumber: nnnn (except for Domain Controllers because it seems to be a
> container and not a group am I right?).
> Than I also updated all my users with uidNumber and gidNumber (I added
> only the gidNumber of Domain Users to every account).
>
> Now as you said the uids/gids are the same on the 2 DCs so again thanks.
>
> I have a question about the sysvol: I noticed that the group of the
> sysvol folder is different on the two DCs.
> On the 1st DC (4.1.0):
> [root at kdc01:locks]# ls -n sysvol/
> total 8
> drwxrwx---+ 4 0 4 4096 Sep 24  2012 saitel.loc
>
> On the 2nd DC (4.1.7):
> [root at kdc03:locks]# ls -n sysvol/
> total 8
> drwxrwx---+ 4 0 3000000 4096 May  8 16:18 saitel.loc
>
> [root at kdc03:locks]# wbinfo -G 3000000
> S-1-5-32-544
> [root at kdc03:locks]# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
>
> If I read it correctly BUILTIN\Administrators should be mapped as 4 so
> same as on the other one.
>
> Did I forgot something?
>
> Regards,
> Daniele.
>
Hi, you never posted just what distro you are using (or if you did, I 
missed it), but mapping Administrators to '4' is not a good idea, I 
learnt the hard way with 'Domain Users' !!

On Debian based distro's '4' is the adm group, so mapping to this, would 
seem a good idea, but not when you really start to think about it. If 
you use winbind with the 'ad' backend you will have to set the domain 
range to start at '0' to pull these low end users/groups, not a good idea.

I do not recommend mapping the majority of windows groups with 
gidNumber's, except for Domain Users & Domain Admins, and I would also 
suggest that you decide on just where your range is going to start 
(4000001 is a good place) then map the two windows groups to the start 
of this range.

Rowland

More information about the samba-technical mailing list