[Samba] Samba AD: gidNumber?

Viktor Trojanovic viktor at troja.ch
Tue Oct 27 09:34:11 UTC 2015 


On 27.10.2015 09:05, Rowland Penny wrote:
> On 26/10/15 22:35, Viktor Trojanovic wrote:
>>
>>
>> On 26.10.2015 23:03, Rowland Penny wrote:
>>> On 26/10/15 21:38, Viktor Trojanovic wrote:
>>>> I joined a Samba AD member server (file server) to a Samba AD DC. 
>>>> This seems to have worked. However, if I try to access the file 
>>>> server from the domain administrator account on a Windows client, I 
>>>> am asked to provide authorization details. Since I have no other 
>>>> privileged users, I am using the domain admin credentials but 
>>>> they're not accepted.
>>>>
>>>> I'm not sure exactly where to look but I think the problem could be 
>>>> connected to the following: On my member server, the getent command 
>>>> does not yield any results. As per the recommendations on the 
>>>> "Samba Member Server Troubleshooting" page, I checked on the DC if 
>>>> the group Domain Users has a gidNumber. Well, it doesn't. Neither 
>>>> do my users have uidNumbers though this, allegedly, is not such an 
>>>> issue.
>>>
>>> Yes it is, there is no point in adding a gidNumber to  Domain Users 
>>> if you are not going to give your Users a uidNumber.
>>>
>>> As far as how to add uidNumbers and gidNumbers, well firstly, do you 
>>> need to? if your users are never going to actually log into the 
>>> member server and this is your only Unix machine, you could use the 
>>> winbind 'rid' backend, this will create the ID numbers on the fly.
>>> If you have more than one member server, or Unix clients or want 
>>> your users to log into the member server, you will probably be 
>>> better off using the winbind 'ad' backend. To do this you will need 
>>> to give your users a unique uidNumber and Domain Users (at least) a 
>>> gidNumber. You can do this by using the ADUC UNIX Attributes tab, by 
>>> writing your own script using an ldif, or by using something like 
>>> the LDAP Account Manager (LAM).
>>>
>>> Rowland
>> Thanks again for helping, Rowland.
>>
>> As I mentioned before, both the DC and the member server are Unix 
>> running Samba 4.3. The purpose of the member server is to act as file 
>> server, nothing more.
>>
>> The clients are all windows machines and users, they will never log 
>> in to one of the unix systems directly. If they are able to access 
>> shares on the file server without having to log in, then I guess this 
>> 'rid' backend seems to be what I need. Correct? Can you give me some 
>> pointers on how to do that, or direct me to the documentation?
>>
>> Though one has to wonder: There is a wiki how to implement a Samba 
>> AD, and how to add a Samba Member Server. I followed the instructions 
>> step by step, for both, and now it turns out that the instructions 
>> for the member server are not made to fit the configuration of the 
>> DC? That's a bit discouraging.
>>
>> Viktor
>
> The main problem is that idmap.ldb on the DC will allocate an 
> xidNumber to a user in the '3000000' range, this xidNumber is used for 
> the users uidNumber. If you use the DC as a fileserver and a user 
> stores something on the DC and you were to examine the permissions, 
> you will find that it doesn't belong to a user but a number. This gets 
> worse, if you have two DCs, you can and probably will get different 
> numbers on each DC. Now this is not a problem until you do something 
> like copy the file from one DC to the other, the file could then 
> belong to another user, this can also happen with a member server.
>
> If you use a member server and do not want your users to log into it, 
> you can use the winbind 'rid' backend, this will allocate UID numbers 
> to your users using an algorithm based on the users RID, this also has 
> the affect of creating the same UID on every member server.
>
> If you need to use the DC as a fileserver, then I would advise the use 
> of the winbind 'ad' backend. Using this, your users will get the same 
> UID everywhere, as the users UID is stored in AD using the uidNumber 
> attribute.
>
> To add uidNumber & gidNumber attributes to AD is fairly simple, you 
> can do it using ADUC, or by writing your own script around an ldif.
>
> To use the winbind 'rid' backend, see here: 
> https://wiki.samba.org/index.php/Idmap_config_rid
>
> Rowland
>
>

Thanks a lot for this very valuable information, this all became a lot 
clearer now.

I am currently just doing a lab setup with a very small AD (5 users, 1 
OU, just the standard groups), so I want to try both variations, 
starting with the ad (rfc2307) backend, and I already have some questions.

I'm using Win10 RSAT, so I don't have the "Unix Attributes" tab but I 
can still modify the attributes manually in the "Attributes" tab. I 
understand how to change the attributes but I'm not clear on which 
values to use.

The wiki says that "by default, ADUC starts assigning UIDs and GIDs at 
10000". I haven't changed those defaults anywhere so this is what must 
apply for my AD. But I don't understand how ADUC "assigns" anything. It 
seems that I have to manually choose which values to enter, and I'm not 
being restricted. So, I'm worried I will break something if I do a 
mistake here.

For example, I gave the admin account a UID of 10000 and my Domain Users 
group a GID of 10000. Was that the right thing to do? And where do I go 
from here? Because I'm further confused by the sentence in the wiki 
"Every time a UID/GID is assigned using ADUC, the next UID/GID is stored 
inside the AD". So, this sounds that there has to be a strict rule which 
number comes next.

By the way, is there a way that the server could just handle these 
assignments automatically for me? Or is this the ldif script I would 
have to write myself you were mentioning?

More information about the samba mailing list