[Samba] Domain Users group with multiple gid

Clemente Aguiar ca-mlsamba at arditi.pt
Tue Apr 10 13:46:50 UTC 2018 

> No dia 08/04/2018, às 21:20, Clemente Aguiar <ca-mlsamba at arditi.pt> escreveu:
> 
> Às 15:45 de 08-04-2018, Rowland Penny via samba escreveu:
>> On Sun, 8 Apr 2018 14:44:30 +0100
>> Clemente Aguiar <ca-mlsamba at arditi.pt> wrote:
>> 
>>> Às 13:51 de 08-04-2018, Rowland Penny escreveu:
>>>> On Sun, 8 Apr 2018 13:22:28 +0100
>>>> Clemente Aguiar via samba <samba at lists.samba.org> wrote:
>>>> 
>>>>> The samba was created by Zentyal system (http://www.zentyal.org).
>>>>> 
>>>>> Here is smb.conf:
>>>>> 
>>>>> [global]
>>>>>       workgroup = arditi
>>>>>       realm = ARDITI.PT
>>>>>       netbios name = hera
>>>>>       server string = Zentyal Server
>>>>>       server role = dc
>>>>>       server role check:inhibit = yes
>>>>>       server services = -dns
>>>>>       server signing = auto
>>>>>       dsdb:schema update allowed = yes
>>>>>       ldap server require strong auth = no
>>>>>       drs:max object sync = 1200
>>>>> 
>>>>>       idmap_ldb:use rfc2307 = yes
>>>>> 
>>>>>       winbind enum users = yes
>>>>>       winbind enum groups = yes
>>>>>       template shell = /bin/bash
>>>>>       template homedir = /home/%U
>>>>> 
>>>>>       interfaces = lo,eth0
>>>>>       bind interfaces only = yes
>>>>> 
>>>>>       map to guest = Bad User
>>>>> 
>>>>>       log level = 3
>>>>>       log file = /var/log/samba/samba.log
>>>>>       max log size = 100000
>>>>> 
>>>>>       include = /etc/samba/shares.conf
>>>>> 
>>>>> [netlogon]
>>>>>       path = /var/lib/samba/sysvol/arditi.pt/scripts
>>>>>       browspid_to_procid: messaging_dgm_get_unique failed: No such
>>>>> file or directoryeable = no read only = yes
>>>>> 
>>>>> [sysvol]
>>>>>       path = /var/lib/samba/sysvol
>>>>>       read only = no
>>>> It is running as an AD DC and the IDs you showed are not in the
>>>> '3000000' range, so this means one of two things, either idmap.ldb
>>>> has been messed with (not recommended) or the users and groups have
>>>> been given uidNumber and gidNumber attributes (with very low
>>>> numbers, again not recommended).
>>>> I think it is more likely to be the later and if so, there is a bug
>>>> for this: https://bugzilla.samba.org/show_bug.cgi?id=13054#
>>>> 
>>>> Rowland
>>> Rowland,
>>> 
>>> Thank you for the quick answer.
>>> 
>>> The thing is that this Zentyal server is a few years old and has been
>>> through a few upgrades.
>>> In the begging Zentyal was based Samba3 + OpenLDAP (if I am not
>>> mistaken), and eventually changed to Samba4.
>>> The new users and groups have IDs in the '3000000' range, but old
>>> users and groups have IDs in the '2000' range.
>>> So I think the low IDs are remnants of the old version which where
>>> kept even though the system was upgraded. And I think that the double
>>> gID for users is also related to remnants of the old system and the
>>> successive upgrades.
>>> 
>>> 1)
>>> 
>>> You mentioned that uidNumber and gidNumber attributes with very low
>>> numbers are not recommended.
>>> Is there anything I can do about that at this point in time?
>> It used to be thought that using such low numbers wasn't a problem, but
>> time has shown otherwise ;-)
>> 
>> The problem is that Linux uses numbers below 1000 for system users &
>> groups and then starts local users & groups at 1000, there is then the
>> problem of the BUILTIN users & groups and users & groups from outside
>> the domain. You could add them after the range for the domain, but if
>> the range chosen is too low, it could interfere with the domain range if
>> this grows too large. So, the advice is to allow a range above 3000
>> but below 10000 for the BUILTIN etc domain and then start the AD
>> domain users & groups at 10000 (which is where Windows started them)
>> 
>> Of course this only really comes into play if you have any Unix domain
>> members. If nobody actually logs into the DC and you only store things
>> in shares and access them from windows, you might as well stick to the
>> xidNumbers in idmap.ldb (i.e. the 3000000 numbers)
>> 
>> Whether you can do anything about this now, sort of depends on
>> how many users you have and if you really want to fix it ;-)
>> 
>> If you do want to fix it and only use windows (the zentyal DC is the
>> only Unix machine) then just remove the uidNumber & gidNumber
>> attributes, but you will need to fix file ownership.
>> 
> Rowland,
> 
> I don't have that many users and I really want to fix it, and I don't have a problem with fixing file ownership.
> 
> You say "just remove the uidNumber & gidNumber attributes", does this mean that new IDs will be assigned automatically?
> 
> And most important, can you tell me exactly how to do this (remove the uidNumber & gidNumber attributes), i.e what are the commands, I would really appreciate.
> Like I said in the initial post, I have little knowledge about Samba4.
> 
> Clemente

Rowland,

Did you see my email?

I would really appreciate your answer and help.

Regards,
Clemente

More information about the samba mailing list