[Samba] samba member logon.. question.

L.P.H. van Belle belle at bazuin.nl
Thu Apr 9 05:47:33 MDT 2015 

wel, i was thinking about the following..

AD backend: 
member1 = fileserver with only company data.  linux and windows users.
member4 = database server with linux and windows users, nfs-kerberos connected with member1. 
member5 = webserver server with linux and windows users, nfs-kerberos connected with member1.  ( no external web server only internal )

RID backend: 
member2 = profiles and user folders.  windows only users and linux administrator user. 
member3 = print server. windows users only for printing and linux administrator user. 

This way when you create a user and you forget to set a uid, a windows user can always login 
and policies are always set because of the generated uids. yes, access is denied to member1 thats ok, when a uid is forgotten to set.
No copies are done of files between the member servers (2,3) and (1,4,5) in this case. 

A proxy server can use a rid backend, the proxy server needs a user with uid, but that can be a different uid.
This increases security imo

A mail server, depending on the setup, can be rid or ad. 
in my case rid is an option, which also increases security. i dont need/have and homedirs here, all users are virtual here.

and all servers wil be using kerberos auth, and based on the access denied message of for fogotten uid, 
i am makeing the asumption that i can have different uids/gids here ( with kerberos auth i mean )

why al of this.. 

I think this wil increase security in proxy and mail. sure it all depends on your setup,
but if by security leak/bugs access is gained, then the "faulty" uid, makes sure not access to files is possible
on the member1 server because of the differences in uid/gid. 

What do you think about this, possible? 
Any thoughts? 

Greetz, 

Louis




>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: donderdag 9 april 2015 13:17
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] samba member logon.. question.
>
>On 09/04/15 12:01, L.P.H. van Belle wrote:
>> Ok, thanks, now you say it, logical yes..
>> It also explains more why lots of users have the problem 
>accessing the member servers..
>> can we mix ad and rid...
>I would suppose so, but not on the same machine :-)
>
>Why would you want to though ?
>
>Using the RFC2307 attributes, you will get the same ID number on every 
>Unix machine, whereas if you use the 'rid' backend, whilst you should 
>get the same ID on each Unix machine, you will never get the 
>same ID on 
>an AD DC, in fact without intervention, you will get a different ID on 
>different DCs
>
>If you only have one DC and one member server, then use the member 
>server and use the 'rid' backend, anything other than this, use the 
>RFC2307 attributes and the 'ad' backend.
>
>Rowland
>> Thanks!
>>
>> Louis
>>
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: rowlandpenny at googlemail.com
>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>> Verzonden: donderdag 9 april 2015 12:41
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] samba member logon.. question.
>>>
>>> On 09/04/15 09:19, L.P.H. van Belle wrote:
>>>> Hai all,
>>>>    
>>>> I was testing with a member server and i had a small problem.
>>>> I found the solution but im just asking why?
>>>> Situation. DC + Member server, all is working fine.
>>>> All test ok. with AD backend !
>>>>    
>>>> Now i did set some GPO's and i created a user to test.
>>> Tested wbinfo -u worked ok, id user did not work.. but i 
>ignored that.
>>>
>>> Hi Louis, surely if 'id user' didn't work then your user is 
>unknown to
>>> the Unix machine.
>>>
>>>> Now im logging in and my pc was complaining the user and
>>> profiles share was inaccessable.
>>>>    
>>>> i noticed these messages [2015/04/08 16:48:19.967842, 0]
>>> ../source3/librpc/crypto/gse.c:645(gse_unseal)
>>>>     gss_unwrap_iov failed with [ Miscellaneous failure (see
>>> text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>>>>     [2015/04/08 16:48:19.968069, 0]
>>> ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>>>     
>>>> I increased the logging level on the member to 3 and found
>>> the following messages..
>>>> Found account name from PAC: testuser [T. testuser] Kerberos
>>> ticket principal name is [testuser at INTERNAL.DOMAIN.TLD]
>>>> and now it goes wrong.
>>>>    
>>>> Username INTERNAL\testuser is invalid on this system  ....  uh?
>>> Well yes, the user doesn't exist on the machine.
>>>
>>>> Failed to map kerberos principal to system user
>>> (NT_STATUS_LOGON_FAILURE)
>>>>    
>>>> If you encounter this problem, then give the user a UID and
>>> the problem is solved, I was able to login again and the
>>> message was gone.
>>>
>>> There you go, proof that the user must be known to the machine, you
>>> could also have used the 'rid' backend, this would have
>>> allocated an ID
>>> number without one in being in AD.
>>>
>>> A windows user is just a windows user, unless you do 
>something to make
>>> it known to Unix.
>>>
>>> Rowland
>>>
>>>>    
>>>> Is it obligated to give your users a uid/gid ?  or is this
>>> backend depending?
>>>> So what if you want to run you setup with AD backend but you
>>> dont want to give all your users an uid/gid.
>>>> Is this possible?  should be imo.
>>>>    
>>>> Greetz,
>>>>    
>>>> Louis
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list