[Samba] samba member logon.. question.

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 9 06:07:02 MDT 2015 

On 09/04/15 12:47, L.P.H. van Belle wrote:
> wel, i was thinking about the following..
>
> AD backend:
> member1 = fileserver with only company data.  linux and windows users.
> member4 = database server with linux and windows users, nfs-kerberos connected with member1.
> member5 = webserver server with linux and windows users, nfs-kerberos connected with member1.  ( no external web server only internal )
>
> RID backend:
> member2 = profiles and user folders.  windows only users and linux administrator user.
> member3 = print server. windows users only for printing and linux administrator user.
>
> This way when you create a user and you forget to set a uid, a windows user can always login
> and policies are always set because of the generated uids. yes, access is denied to member1 thats ok, when a uid is forgotten to set.
> No copies are done of files between the member servers (2,3) and (1,4,5) in this case.
>
> A proxy server can use a rid backend, the proxy server needs a user with uid, but that can be a different uid.
> This increases security imo
>
> A mail server, depending on the setup, can be rid or ad.
> in my case rid is an option, which also increases security. i dont need/have and homedirs here, all users are virtual here.
>
> and all servers wil be using kerberos auth, and based on the access denied message of for fogotten uid,
> i am makeing the asumption that i can have different uids/gids here ( with kerberos auth i mean )
>
> why al of this..
>
> I think this wil increase security in proxy and mail. sure it all depends on your setup,
> but if by security leak/bugs access is gained, then the "faulty" uid, makes sure not access to files is possible
> on the member1 server because of the differences in uid/gid.
>
> What do you think about this, possible?
> Any thoughts?
>
> Greetz,
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: donderdag 9 april 2015 13:17
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] samba member logon.. question.
>>
>> On 09/04/15 12:01, L.P.H. van Belle wrote:
>>> Ok, thanks, now you say it, logical yes..
>>> It also explains more why lots of users have the problem
>> accessing the member servers..
>>> can we mix ad and rid...
>> I would suppose so, but not on the same machine :-)
>>
>> Why would you want to though ?
>>
>> Using the RFC2307 attributes, you will get the same ID number on every
>> Unix machine, whereas if you use the 'rid' backend, whilst you should
>> get the same ID on each Unix machine, you will never get the
>> same ID on
>> an AD DC, in fact without intervention, you will get a different ID on
>> different DCs
>>
>> If you only have one DC and one member server, then use the member
>> server and use the 'rid' backend, anything other than this, use the
>> RFC2307 attributes and the 'ad' backend.
>>
>> Rowland
>>> Thanks!
>>>
>>> Louis
>>>
>>>
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: rowlandpenny at googlemail.com
>>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>>> Verzonden: donderdag 9 april 2015 12:41
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] samba member logon.. question.
>>>>
>>>> On 09/04/15 09:19, L.P.H. van Belle wrote:
>>>>> Hai all,
>>>>>     
>>>>> I was testing with a member server and i had a small problem.
>>>>> I found the solution but im just asking why?
>>>>> Situation. DC + Member server, all is working fine.
>>>>> All test ok. with AD backend !
>>>>>     
>>>>> Now i did set some GPO's and i created a user to test.
>>>> Tested wbinfo -u worked ok, id user did not work.. but i
>> ignored that.
>>>> Hi Louis, surely if 'id user' didn't work then your user is
>> unknown to
>>>> the Unix machine.
>>>>
>>>>> Now im logging in and my pc was complaining the user and
>>>> profiles share was inaccessable.
>>>>>     
>>>>> i noticed these messages [2015/04/08 16:48:19.967842, 0]
>>>> ../source3/librpc/crypto/gse.c:645(gse_unseal)
>>>>>      gss_unwrap_iov failed with [ Miscellaneous failure (see
>>>> text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>>>>>      [2015/04/08 16:48:19.968069, 0]
>>>> ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>>>>      
>>>>> I increased the logging level on the member to 3 and found
>>>> the following messages..
>>>>> Found account name from PAC: testuser [T. testuser] Kerberos
>>>> ticket principal name is [testuser at INTERNAL.DOMAIN.TLD]
>>>>> and now it goes wrong.
>>>>>     
>>>>> Username INTERNAL\testuser is invalid on this system  ....  uh?
>>>> Well yes, the user doesn't exist on the machine.
>>>>
>>>>> Failed to map kerberos principal to system user
>>>> (NT_STATUS_LOGON_FAILURE)
>>>>>     
>>>>> If you encounter this problem, then give the user a UID and
>>>> the problem is solved, I was able to login again and the
>>>> message was gone.
>>>>
>>>> There you go, proof that the user must be known to the machine, you
>>>> could also have used the 'rid' backend, this would have
>>>> allocated an ID
>>>> number without one in being in AD.
>>>>
>>>> A windows user is just a windows user, unless you do
>> something to make
>>>> it known to Unix.
>>>>
>>>> Rowland
>>>>
>>>>>     
>>>>> Is it obligated to give your users a uid/gid ?  or is this
>>>> backend depending?
>>>>> So what if you want to run you setup with AD backend but you
>>>> dont want to give all your users an uid/gid.
>>>>> Is this possible?  should be imo.
>>>>>     
>>>>> Greetz,
>>>>>     
>>>>> Louis
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

Sounds good, but what if:

a user logs into a windows machine and connects to a user folder on 
member2 and also connects to a share on member1, the user then drags a 
file from member1 to user folder on member2, will it be moved/copied ? 
and if so, who will own the file ?

I think that this needs to be tested, if it does work (and I think it 
will) you could have a very good set up there.

Rowland

More information about the samba mailing list