[Samba] rfc2307 deprecated in Windows 2012 R2?

Davor Vusir davortvusir at gmail.com
Sat Jan 31 11:43:54 MST 2015


Hans-Kristian Bakke skrev den 2015-01-30 17:20:
> I do not understand the point about issues with administrator beeing
> mapped to a "random" rfc2307 UID. You need to explain the details
> surrounding that part to me as my experience is that this is OK and
> even necessary.
>
> The only reason for not giving Administrator a "random" UID/GID that I
> can think of is perhaps if you are doing some mapping of Administrator
> to root, something which I am personally strongly against as they are
> _not_ the same users from any central authentication point of view. It
> is just a hack for people that are doing the mistake of actually using
> the administrator account for linux administration, when it shouldn't
> really be used for anything at all, even on windows boxes, as you of
> should be adding dedicated admin accounts for each admin.

Here is how I tried to explain why not to use 'smbmapping' of 
Administrator to root: 
http://www.spinics.net/lists/samba/msg120633.html. It's just wrong to do 
that.

> The script only gives users and groups that are non-local (i.e domain
> users that would actually be used for logins with non-zero SIDs)
> uid/gids. Administrator is one of them and giving it an UID of
> 300500/whatever is absolutely correct and necessary if administrator
> is going to be able to login to the linux boxes like everybody else.
>  From a linux box's view in a Windows DC domain administrator is no
> different from other users. Add your admin group to sudoers and ssh
> allowgroups and you are done. This works beatifully in several well
> tested and abused production systems, also with ACLs with
> administrator added.

Well put!

Regards
Davor

> --
> Hans-Kristian
>
> On 30 January 2015 at 11:01, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>> On 29/01/15 22:56, Hans-Kristian Bakke wrote:
>>> Something went wrong and the message got sent before it was finished.
>>> Here is the complete one:
>>>
>>> Ok, it's here: http://pastebin.com/JEnr5wUq
>>>
>>> The id_offset is that value because i initially didn't use rfc2307
>>> attributes, but instead had
>>>
>>> idmap config EXAMPLE : range = 300000-499999
>>>
>>> in smb.conf.
>>>
>>> To get identical uid/gids have to start with the same offset. If you
>>> have a fresh domain and just starting with AD-integration on your
>>> linux-boxes you can just pull out the logic for generating winbind
>>> compatible uids/gids.
>>>
>>> -
>>> Regards,
>>>
>>> Hans-Kristian
>>>
>>>
>>> On 29 January 2015 at 23:53, Hans-Kristian Bakke <hkbakke at gmail.com>
>>> wrote:
>>>> Ok, it's here: http://pastebin.com/JEnr5wUq
>>>>
>>>> The id_offset is that value because i initially didn't use rfc2307
>>>> attributes, but instead
>>>>
>>>>
>>>> On 29 January 2015 at 23:27, Tim <lists at kiuni.de> wrote:
>>>>> @Hans-Kristian:
>>>>> I'd like to see it. How did you automate this?
>>>>>
>>>>> @Andrew:
>>>>> In another thread I suggested to set the rfc2307 info automatically when
>>>>> a
>>>>> domain is provisioned with --use-rfc2307. Possibly by an additional
>>>>> parameter.
>>>>> This would make things easier in my eyes.
>>>>>
>>>>> Thanks
>>>>> Tim
>>>>>
>>>>> Am 29. Januar 2015 22:02:14 MEZ, schrieb Hans-Kristian Bakke
>>>>> <hkbakke at gmail.com>:
>>>>>> It is actually rather easy to set the attributes via powershell, and
>>>>>> that is probably the best way to add them in a Server 2012 R2
>>>>>> environment.
>>>>>>
>>>>>> I wrote a powershell script to do this automatically for users and
>>>>>> groups in an entire domain that should be pretty generic to be reused.
>>>>>> It also mirrors the logic used in automatic winbind UID/GID generation
>>>>>> to be able to coexist in an environment where not all hosts are
>>>>>> migrated to rfc2307 yet. If you want it I can give it to you, but as
>>>>>> you proably would want to write your own powershell-script you would
>>>>>> set properties for users and groups using these two cmdlets and some
>>>>>> foreach-logic looping over your search bases, users and groups:
>>>>>>
>>>>>> Set-ADUser -Identity $username -Replace
>>>>>>
>>>>>>
>>>>>> @{uidNumber=$uid;gidNumber=$primary_group_gid;unixHomeDirectory=$homedir;loginShell=$login_shell}
>>>>>>
>>>>>> Set-ADGroup -Identity $groupname -Replace @{gidNumber=$gid}
>>>>>>
>>>>>> On 29 January 2015 at 21:24, Lars Hanke <debian at lhanke.de> wrote:
>>>>>>>    Am 29.01.2015 um 21:12 schrieb Tim:
>>>>>>>>
>>>>>>>>    But if they take it away how to set them in future?
>>>>>>>
>>>>>>>
>>>>>>>    If you need NIS, you probably have POSIX systems attached. So you
>>>>>>> can
>>>>>>> always
>>>>>>>    set RFC2307 attributes from POSIX systems.
>>>>>>>
>>>>>>>
>>>>>>>>    Am 29. Januar 2015 19:50:22 MEZ, schrieb Andrew Bartlett
>>>>>>>>    <abartlet at samba.org>:
>>>>>>>>>
>>>>>>>>>    On Wed, 2015-01-28 at 17:22 +0100, Tim wrote:
>>>>>>>>>>
>>>>>>>>>>    I got the chance to test samba 4 with windows 2012 R2 domain
>>>>>>>>>>    controller on its highest functional level.
>>>>>>>>>>
>>>>>>>>>>    Possibly it's important to know that M$ says that the "server for
>>>>>>>>>> NIS
>>>>>>>>>>    Tools" which are needed to set rfc attributes are deprecated.
>>>>>>>>>>    I could install them but I can't choose a NIS domain anymore in
>>>>>>>>>> Unix
>>>>>>>>>>    attributes.
>>>>>>>>>>
>>>>>>>>>>    Will we run into problems with samba4? Is it time for thinking
>>>>>>>>>> about
>>>>>>>>>
>>>>>>>>>    a
>>>>>>>>>>
>>>>>>>>>>    new idmapping backend? I have an idea for this (based on rid
>>>>>>>>>> module)
>>>>>>>>>>    but I like to know your thoughts.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    Even if they take away the admin tools, the schema changes won't
>>>>>>>>> go
>>>>>>>>>    away, so don't worry.
>>>>>>>>>
>>>>>>>>>    --
>>>>>>>>>    Andrew Bartlett
>>>>>>>>>     http://samba.org/~abartlet/
>>>>>>>>>    Authentication Developer, Samba Team  http://samba.org
>>>>>>>>>    Samba Developer, Catalyst IT
>>>>>>>>>    http://catalyst.net.nz/services/samba
>>>>>>>
>>>>>>>
>>>>>>>    --
>>>>>>>    To unsubscribe from this list go to the following URL and read the
>>>>>>>    instructions:  https://lists.samba.org/mailman/options/samba
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>> OK, had a quick look through your script and I cannot recommend it, it would
>> seem to give Administrator (and everybody else) a 'uidNumber',
>> Administrator's 'uidNumber' would be 300500, not a good idea.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list