[Samba] Samba 4 two DCs no matching UID/GID
Rowland Penny
rowlandpenny at googlemail.com
Sat Dec 13 14:33:01 MST 2014
On 13/12/14 20:13, Tim wrote:
> The reason why is that simple: the other admin only knows the windows
> world and that's why it's gonna be risky regarding file services when
> he creates new users or groups and forgets about the Unix tab.
>
> My personal hope is that samba will one day set rfc ids automatically
> so that these windows guys won't have to care. E.g. it could be an
> option when provisioning a new domain.
I don't think that is ever going to happen.
> It would make decisions easier to migrate from M$ AD.
> Just my 2 cents...
>
> Regarding msSFUMaxGidNumber: The script first reads it, counts +1 and
> then writes this back after setting it. So I think it isn't that wrong.
>
It is if your windows guy does create a user in ADUC and then adds the
rfc attributes via the UNIX_Attributes tab.
Rowland
> Am 13. Dezember 2014 20:43:34 MEZ, schrieb Rowland Penny
> <rowlandpenny at googlemail.com>:
>
> On 13/12/14 18:24, rintimtim at gmx.net wrote:
>> Here you are my working script for setting gidNumbers. You're
>> welcome to verify.
>> WARNING: I'm not responsible for any damage. Use and test at your
>> own risk. Variables must be set correctly!
>> # Groups
>> maxGid=40000
>> pathTmpFiles="/root"
>> domain="example"
>> domainDNappendix="DC=example,DC=com"
>> groupsBaseDN="OU=Subgroups,OU=Groups,$domainDNappendix"
>> samldb="/var/lib/samba/private/sam.ldb"
>> wbinfo -g > $pathTmpFiles/ad-groups
>> while read gid1
>> do
>> echo "$gid1:"$(wbinfo --group-info "$gid1" | cut -d: -f3)
>> done < $pathTmpFiles/ad-groups > $pathTmpFiles/ad-groups-gid
>> while read gid2
>> do
>> echo $gid2 | awk -F : -v maxGid=$maxGid '$2>maxGid'"
>> done < $pathTmpFiles/ad-groups-gid >
>> $pathTmpFiles/ad-groups-gid-change
>> if [ -z "$(cat $pathTmpFiles/ad-groups-gid-change)" ]
>> then
>> #Clean-Up
>> rm $pathTmpFiles/ad-groups
>> rm $pathTmpFiles/ad-groups-gid
>> rm $pathTmpFiles/ad-groups-gid-change
>> exit 0
>> fi
>> setGid=$(ldbsearch -H $samldb -b
>> CN=$domain,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$domainDNappendix
>> | grep -i msSFU30MaxGidNumber | cut -d: -f2)
>> while read gid3
>> do
>> let setGid=setGid+1
>> group=$(echo $gid3 | cut -d: -f1)
>> ldbsearch -H $samldb -b $groupsBaseDN CN=$(echo $gid3 |
>> cut -d: -f1) | grep -i dn: > $pathTmpFiles/AD-gid-$group.ldif
>> echo changetype: modify >> $pathTmpFiles/AD-gid-$group.ldif
>> echo replace: gidNumber >> $pathTmpFiles/AD-gid-$group.ldif
>> echo gidNumber: $setGid >> $pathTmpFiles/AD-gid-$group.ldif
>> ldbmodify -H $samldb $pathTmpFiles/AD-gid-$group.ldif
>> rm $pathTmpFiles/AD-gid-$group.ldif
>> done < $pathTmpFiles/ad-groups-gid-change
>> # Increase MsSFU30MaxGidNumber
>> echo "dn:
>> CN=$domain,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$domainDNappendix"
>> > $pathTmpFiles/setMsSFU30MaxGidNumber.ldif
>> echo changetype: modify >> $pathTmpFiles/setMsSFU30MaxGidNumber.ldif
>> echo replace: msSFU30MaxGidNumber >>
>> $pathTmpFiles/setMsSFU30MaxGidNumber.ldif
>> echo msSFU30MaxGidNumber: $setGid >>
>> $pathTmpFiles/setMsSFU30MaxGidNumber.ldif
>> ldbmodify -H $samldb $pathTmpFiles/setMsSFU30MaxGidNumber.ldif
>> #Clean-Up
>> rm $pathTmpFiles/ad-groups
>> rm $pathTmpFiles/ad-groups-gid
>> rm $pathTmpFiles/ad-groups-gid-change
>> rm $pathTmpFiles/setMsSFU30MaxGidNumber.ldif
>> Cron could do this job every minute. A Script for uidNumbers
>> would be similar.
>> Regards
>> Tim
>> *Gesendet:* Samstag, 13. Dezember 2014 um 10:54 Uhr
>> *Von:* "Rowland Penny" <rowlandpenny at googlemail.com>
>> *An:* Tim <rintimtim at gmx.net>, samba at lists.samba.org
>> *Betreff:* Re: [Samba] Samba 4 two DCs no matching UID/GID
>> On 12/12/14 22:08, Tim wrote:
>>
>> Why only Domain Users and Domain Admins? I can't follow.
>>
>>
>> Because they are the only two windows groups that you are likely
>> to need on a Unix machine.
>>
>> But a good idea you've had. So a script can possibly be run
>> on every DC the same. I will check and verify.
>>
>>
>> Don't bother, been there, doing that.
>>
>>
>> What about built-in objects like system? These are not
>> available in ADUC if my memory doesn't fail now.
>>
>>
>> That is what idmap.ldb is for!!!
>>
>> Will there be a problem when other built-in objects get a rfc
>> gid/uid. E.g. for now wbinfo resolves uid 0 for administrator.
>>
>>
>> Other built-in objects do not need a rfc gid/uid and
>> Administrator gets mapped to root by, you guessed it, idmap.ldb
>>
>> Rowland
>>
>> Am 12. Dezember 2014 22:19:45 MEZ, schrieb Rowland Penny
>> <rowlandpenny at googlemail.com>:
>>
>> On 12/12/14 20:31, Tim wrote:
>>
>> My idea is similar. Today I didn't had the time to go
>> on. But this my concept and it works with a short
>> script (example for groups): DC1 (schema master) for
>> loop on wbinfo -g will check if rfc2307 info is null
>> for these groups in AD (ldbsearch) when rfc2307 gid
>> is equal to wbinfo --group-info | cut -d: -f3 then
>> exit else update rfc2307 info by importing created
>> ldif file (ldbmodify)
>>
>> You only really need to give Domain Users & Domain Admins
>> a gidNumber, also you just need to check if the group has
>> a gidNumber and if it doesn't, update the group by adding
>> the next available gidNumber. The same goes for a user. I
>> also told you where AD normally stores the next uidNumber
>> & gidNumber. Rowland
>>
>> To get this faster an extra file with set rfc2307
>> gids will be needed and needs to be updated. For
>> failover reasons idmap.ldp should be synced to
>> secondary DCs or if possible its max gid number
>> should be updated on secondary DCs. Regards Tim Am
>> 12. Dezember 2014 10:19:07 MEZ, schrieb steve
>> <steve at steve-ss.com>:
>>
>> On 12/12/14 07:10, Tim wrote:
>>
>> Am 11. Dezember 2014 23:25:58 MEZ, schrieb steve
>>
>> <steve at steve-ss.com>:
>>
>> On 11/12/14 23:15, Tim wrote:
>>
>> Thanks Steve, I will have a look at
>> it. I think it's important to sync the
>>
>> idmap.ldb
>>
>> limits
>>
>> It isn't important. The limits are the
>> same on all DCs, even if you have not
>> copied the idmap database anywhere else.
>> All you need to do is write the uidNumber
>> and the gidNumber to the DN of your new
>> users and
>>
>> groups.
>>
>> There are many ways of keeping track of
>> what-the-next-uidNumber-should-be, which
>> I think is your real
>>
>> problem.
>>
>> Can you give an example? Sounds interesting
>> and would really help.
>>
>> On way. Turn on enumeration. getent passwd and
>> redirect to a file. read each line, cut the 3rd
>> field (':' is the delimiter) and append to a
>> second file. Find the biggest number and then add
>> 1. There are as many ways as people using
>> rfc2307... HTH Steve
>>
>
> OK, you could do that, but why??
>
> Why don't you just set msSFU30MaxUidNumber & msSFU30MaxGidNumber
> to your start number, then create users & groups in ADUC and then
> go to the UNIX_Attributes tab and add the number there. that way
> you don't have to use cron.
>
> By the way, the contents of 'msSFU30MaxGidNumber' **is** the next
> number, you shouldn't add one to it before you use it, you should
> add one to it before you replace it.
>
> Rowland
>
>
>
More information about the samba
mailing list