[Samba] D.C. and File Server on the same server...

Rowland Penny rpenny at samba.org
Fri Nov 11 20:09:34 UTC 2016 

On Fri, 11 Nov 2016 11:21:17 -0800
L A Walsh <samba at tlinx.org> wrote:

> Rowland Penny via samba wrote:
> > If you are talking about 'system' accounts (postfix, dovecot,
> > apache, etc) then these do belong in /etc/passwd and /etc/group. As
> > far as I am aware, windows doesn't use Unix IDs, it uses SID-RIDs
> >   
> ----
>     System accounts & groups -- I know windows doesn't use the UID's
> directly -- that's why I have them mapped, and there are very
> few below 500, um like these selections from the group file:
> 
> SYSTEM:S-1-5-18:18:l:root,Domain Administrator

Wrong, so very wrong, root has the Unix ID '0' and is the only Unix
user that needs mapping to, a Samba DC automatically maps Administrator
to 'root' and you can do it on a Unix domain member via a user.map

> Domain Admins:!:512:root,Bliss\root
> Remote Desktop Users:!:555:linw,root,Bliss\linw

Whilst Domain Admins may need to be visible to Unix, Remote Desktop
Users doesn't and you don't need to use the RID as a uidNumber, in
fact it is a bad idea to do so.
 
> 
> I used data files looking like:
> 
> Everyone:x:11100:S-1-1-0,builtin:
> Creator Owner:x:11300:S-1-3-0,builtin:
> Authenticated Users:x:11511:S-1-5-11,builtin:
> Terminal Server Users:x:11513:S-1-5-13,builtin:
> Local System:x:11518:S-1-5-18,builtin:
> Local Service:x:11519:S-1-5-19,builtin:
> Network Service:x:11520:S-1-5-20,builtin:

Not one of these needs to be visible to Unix.

> 
> to map SID's to "ID's" (UID+GID's) via fixed-forumla's
> with winbind knowing the ID->SID mappings.
> 
> When I ask for a list of available options to put
> in an access list (Where you select a windows-name
> for an access list, hit 'Advanced', and 'Find Now'
> and it queries the server for all options (as in
> attached image).
> 
> Before I added all the well-known and builtin
> SIDS to my server DB, I didn't have most of the
> ones shown in the picture -- just a few.

You have problems!

> >   
> >
> > OK, if you create a user or group in AD it gets a SID-RID, this is
> > one for Domain Users:
> >
> > S-1-5-21-1768301897-3342589593-1064908849-513
> >   
> ---
> Right.
> > If I run 'getent group Domain\ Users' on a Unix domain member, I get
> > this:
> >
> > domain_users:x:10000:
> >   
> ---
>     I'd get a name of "Domain Users" and a ID of 513.

The name is still the same and as I said, using 513 is a bad idea.


> > What! a windows group is usable on Unix, how is this possible ?
> >   
> ---
>     A windows group with a confusing ID.  I find it less
> confusing if my RID either, equals my ID (ID meaning Unix UID or GID).
> For some RID's I can't use a 1:1, like many in the data
> file fragment I showed above.  I keep them from
> overlapping, by using different, fixed ranges.  Like for
> the Mandatory Levels which have authority SIDs starting
> with S-1-16, I used 116 as a prefix and add the RID (w/
> leading zeros for <5 digits):
> 
> Low Mandatory Level:x:11604096:S-1-16-4096,builtin:
> Medium Mandatory Level:x:11608192:S-1-16-8192,builtin:
> Medium Plus Mandatory Level:x:11608448:S-1-16-8448,builtin:
> High Mandatory Level:x:11612288:S-1-16-12288,builtin:
> System Mandatory Level:x:11616384:S-1-16-16384,builtin:
> Protected Process Mandatory Level:x:11620480:S-1-16-20480,builtin:
> Secure Process Mandatory Level:x:11628672:S-1-16-28672,builtin:
> 

They may not be confusing to you, but they confused me, but it doesn't
make any difference to Unix what ID you use.
  
> 
> 
> > This is possible because you can add this to the groups object in
> > AD:
> >
> > gidNumber: 10000
> >   
> ----
>     Right -- many mapping utils use 1 fixed offset.

No, it isn't a mapping, I just chose to use the same start range that
Windows does.

> 
>     It's just that I'm using several offsets to prevent
> collisions and embed the original SID's in the assigned
> unix ID's.

Why ? you can stop collisions by using the next available uidNumber or
gidNumber, you can also have a user AND a group with the same number,
one would be a uidNumber, the other a gidNumber.

> >   
> >> ---
> >>     Why not?  Can't I configure that range?... FWIW, though, right
> >> now my ID's all map to the same range (as don't rely on
> >> auto-allocation), like   "idmap config *:range = 0-999999999"  --
> >> just wanted to make it include all of my mapped ranges.
> >>     
> >
> > Firstly, you shouldn't be starting your range at '0', but that is
> > your decision. As I said, you do not map, you make your windows
> > users & groups be Unix users & groups, you are also at liberty to
> > give your users and groups whatever ID number you like.
> >   
> ----
>     See above for reasons for using those ranges.
> 
>     Of note: if I had to map users from another domain --
> then I'd likely add some offset to my 'range' ...  (C'est la vi!).
> 
> > Never tried to do this, but it should work on AD as well. Only thing
> > is, it is usually done the other way around, i.e. the data is stored
> > on a Unix machine and then mounted on the windows machine. 
> >   
> ----
>     All my "data" is stored on the server.  I just have a
> mapping for my primary desktop client onto my server for
> convenience.  It's not used that often.

You wouldn't need the symlink with AD, the data would belong to the
user, whether the user was a windows user or a local Unix user, mainly
because they would be the same user. One thing I forgot to tell you,
you cannot have private user groups i.e. you canoot have a user 'fred'
and a group called 'fred', but this is not a problem.

Your set up is your concern, but can I suggest you forget the old way
of doing things and learn the new ways, in the end I think you will
find it easier to use.

> > Go here and read:
> >
> > https://support.microsoft.com/en-us/kb/243330
> >
> > They are the BUILTIN users and groups I was referring to, if these
> > aren't visible on your windows machines, then you have BIG problems.
> >   
> ----
>     They usually aren't visible on the drop-down list.  Also,
> in 3.6.x, only a small number of the builtins were mapped at all
> in the samba SW, and most of those were blocked for enumeration
> purposes (poo!)...  Maybe that's changed on 4.x?

Yes it has, if a windows group needs to be used on a Unix machine it
will be mapped by winbind, but this usually only needs to be on a the
Samba AD DC (sysvol etc)

> 
> 
> 
> >
> > I would start reading up on using Samba as an AD domain, microsoft
> > doesn't want you to use NT4-style domains any more and seems to be
> > making it harder and harder to use them.
> >
> > A good place to start is here:
> >
> > https://wiki.samba.org/index.php/Main_Page
> >   
> ---
>     Will do, but as you might glimmer from the above, I have
> a rather customized solution for my *tiny* domain -- I wanted
> it to be a resource for me, as well as providing normal domain
> "stuff" (isn't that a technical term?)...

Too customized if you ask me, I think you have overthought it ;-)

Rowland

More information about the samba mailing list