[Samba] Security = ADS and uidnumbers

steve steve at steve-ss.com
Thu Jun 6 01:49:24 MDT 2013

On Wed, 2013-06-05 at 23:13 +0100, Jonathan Buzzard wrote:
> On 05/06/13 17:56, steve wrote:
> > On Wed, 2013-06-05 at 16:22 +0100, Jonathan Buzzard wrote:
> >> On Wed, 2013-06-05 at 15:42 +0100, Rowland Penny wrote:
> >>>
> >>> I never said that I couldn't get it to work, I just said that it is
> >>> just too complicated. Yes I can read and there was no need to get
> >>> personal
> >>>
> >>
> >> You said you gave up because it was too complicated. Also if you are
> >> setting up a Samba file server and need UID/GID to SID mappings the only
> >> supported option is Winbind if sssd works at all.
> >
> > Hi
> > Why don't we simply store the uid in the directory along with everything
> > else concerming the user? Why store that information somewhere else?
> >
> You do store the UID in the directory along with everything else. You 
> just need some way of looking it up.

No, it doesn't. Unless you intervene and force them into the directory
yourself, it stores them separately. Try it. Add a user using samba-tool
user. Then ldbsearch him.

> > All the OP wants is consistent uidNumbers.
> Actually that is not clear. They want consistent UID's on a machine that 
> is running Samba which complicates things because it might mean they 
> want consistent and secure SID to UID mapping as well as consistent UID's.

I think we all need a sid that is glued to a uid. How would we work with
a user having uid x one session, and then having uid y the next session.
I've missed something I know. I'm not a theorist nor coder. 
> Anyone who has tried sssd
>  is unlikely to return to winbind.
> Really, don't think so.
Then you can't have tried it.
> > It also has the advantage that it
> > works fully on a S4 DC, not just for uid and gid but for the whole of
> > rfc2307. For good measure, it throws in dynamic dns updates for fwd and
> > reverse zones. For free.
> Your file servers have dynamic DNS!!!
No, but our Linux clients do. Luxury on just one line of a config file.
> > sssd does what it says on the tin. With winbind, there are too many
> > different tins;)

> The reason for the ranges, which is why winbind is better than sssd for 
> a Samba file server is that Samba has some builtin SID's that it needs 
> to assign UID/GID's to. With winbind you can make sure that these don't 
> incorrectly overlap which would be a security issue.

There are a few built in sids which remain in the idmap database. I
can't see any reason why they couldn't be put in the directory too. If
you take the same xid which is assigned to the sid when the domain is
provioned, how could there be overlap? I've mentioned the counter object
in idmap which takes care of unique xid's.

More information about the samba mailing list