[Samba] Security = ADS and uidnumbers

Jonathan Buzzard jonathan at buzzard.me.uk
Wed Jun 5 16:13:24 MDT 2013

On 05/06/13 17:56, steve wrote:
> On Wed, 2013-06-05 at 16:22 +0100, Jonathan Buzzard wrote:
>> On Wed, 2013-06-05 at 15:42 +0100, Rowland Penny wrote:
>>> I never said that I couldn't get it to work, I just said that it is
>>> just too complicated. Yes I can read and there was no need to get
>>> personal
>> You said you gave up because it was too complicated. Also if you are
>> setting up a Samba file server and need UID/GID to SID mappings the only
>> supported option is Winbind if sssd works at all.
> Hi
> Why don't we simply store the uid in the directory along with everything
> else concerming the user? Why store that information somewhere else?

You do store the UID in the directory along with everything else. You 
just need some way of looking it up.

> All the OP wants is consistent uidNumbers.

Actually that is not clear. They want consistent UID's on a machine that 
is running Samba which complicates things because it might mean they 
want consistent and secure SID to UID mapping as well as consistent UID's.

> The only way I know how to do
> that is to store the uidNumber in the DN of the object. All DC's pull
> the same attribute at all times. Forget idmap ranges. You can use
> winbind to do that and prolly pull stuff from AD too. However, those of
> us who have tried alternatives for pulling rfc2307 from AD find the
> alternatives easier to install and configure. Anyone who has tried sssd
> is unlikely to return to winbind.

Really, don't think so.

> It also has the advantage that it
> works fully on a S4 DC, not just for uid and gid but for the whole of
> rfc2307. For good measure, it throws in dynamic dns updates for fwd and
> reverse zones. For free.

Your file servers have dynamic DNS!!!

> sssd does what it says on the tin. With winbind, there are too many
> different tins;)

As far as I can tell sssd does not provide a mechanism for the smbd on 
at least 3.5 (the 4.x series might be different but the OP is running 
3.6) to see an incoming SID and work out the UID. Why would it, a SID is 
an entirely Windows concept and sssd is a Linux/Unix thing. Samba 3.x 
requires as far as I have been able to tell a running winbind or bad 
things happen.

The reason for the ranges, which is why winbind is better than sssd for 
a Samba file server is that Samba has some builtin SID's that it needs 
to assign UID/GID's to. With winbind you can make sure that these don't 
incorrectly overlap which would be a security issue. With sssd you 
can't. In fact if you have more than one AD domain in a forest then sssd 
is probably not a good idea anyway.

Now if you have random Linux box that is not acting as a Samba file 
server then by all means use sssd. But this is a Samba mailing list and 
presumably the majority of people are trying to get a Samba file server 


Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list