[Samba] Domain Users group with multiple gid
Clemente Aguiar
ca-mlsamba at arditi.pt
Tue Apr 10 13:46:50 UTC 2018
> No dia 08/04/2018, às 21:20, Clemente Aguiar <ca-mlsamba at arditi.pt> escreveu:
>
> Às 15:45 de 08-04-2018, Rowland Penny via samba escreveu:
>> On Sun, 8 Apr 2018 14:44:30 +0100
>> Clemente Aguiar <ca-mlsamba at arditi.pt> wrote:
>>
>>> Às 13:51 de 08-04-2018, Rowland Penny escreveu:
>>>> On Sun, 8 Apr 2018 13:22:28 +0100
>>>> Clemente Aguiar via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> The samba was created by Zentyal system (http://www.zentyal.org).
>>>>>
>>>>> Here is smb.conf:
>>>>>
>>>>> [global]
>>>>> workgroup = arditi
>>>>> realm = ARDITI.PT
>>>>> netbios name = hera
>>>>> server string = Zentyal Server
>>>>> server role = dc
>>>>> server role check:inhibit = yes
>>>>> server services = -dns
>>>>> server signing = auto
>>>>> dsdb:schema update allowed = yes
>>>>> ldap server require strong auth = no
>>>>> drs:max object sync = 1200
>>>>>
>>>>> idmap_ldb:use rfc2307 = yes
>>>>>
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>> template shell = /bin/bash
>>>>> template homedir = /home/%U
>>>>>
>>>>> interfaces = lo,eth0
>>>>> bind interfaces only = yes
>>>>>
>>>>> map to guest = Bad User
>>>>>
>>>>> log level = 3
>>>>> log file = /var/log/samba/samba.log
>>>>> max log size = 100000
>>>>>
>>>>> include = /etc/samba/shares.conf
>>>>>
>>>>> [netlogon]
>>>>> path = /var/lib/samba/sysvol/arditi.pt/scripts
>>>>> browspid_to_procid: messaging_dgm_get_unique failed: No such
>>>>> file or directoryeable = no read only = yes
>>>>>
>>>>> [sysvol]
>>>>> path = /var/lib/samba/sysvol
>>>>> read only = no
>>>> It is running as an AD DC and the IDs you showed are not in the
>>>> '3000000' range, so this means one of two things, either idmap.ldb
>>>> has been messed with (not recommended) or the users and groups have
>>>> been given uidNumber and gidNumber attributes (with very low
>>>> numbers, again not recommended).
>>>> I think it is more likely to be the later and if so, there is a bug
>>>> for this: https://bugzilla.samba.org/show_bug.cgi?id=13054#
>>>>
>>>> Rowland
>>> Rowland,
>>>
>>> Thank you for the quick answer.
>>>
>>> The thing is that this Zentyal server is a few years old and has been
>>> through a few upgrades.
>>> In the begging Zentyal was based Samba3 + OpenLDAP (if I am not
>>> mistaken), and eventually changed to Samba4.
>>> The new users and groups have IDs in the '3000000' range, but old
>>> users and groups have IDs in the '2000' range.
>>> So I think the low IDs are remnants of the old version which where
>>> kept even though the system was upgraded. And I think that the double
>>> gID for users is also related to remnants of the old system and the
>>> successive upgrades.
>>>
>>> 1)
>>>
>>> You mentioned that uidNumber and gidNumber attributes with very low
>>> numbers are not recommended.
>>> Is there anything I can do about that at this point in time?
>> It used to be thought that using such low numbers wasn't a problem, but
>> time has shown otherwise ;-)
>>
>> The problem is that Linux uses numbers below 1000 for system users &
>> groups and then starts local users & groups at 1000, there is then the
>> problem of the BUILTIN users & groups and users & groups from outside
>> the domain. You could add them after the range for the domain, but if
>> the range chosen is too low, it could interfere with the domain range if
>> this grows too large. So, the advice is to allow a range above 3000
>> but below 10000 for the BUILTIN etc domain and then start the AD
>> domain users & groups at 10000 (which is where Windows started them)
>>
>> Of course this only really comes into play if you have any Unix domain
>> members. If nobody actually logs into the DC and you only store things
>> in shares and access them from windows, you might as well stick to the
>> xidNumbers in idmap.ldb (i.e. the 3000000 numbers)
>>
>> Whether you can do anything about this now, sort of depends on
>> how many users you have and if you really want to fix it ;-)
>>
>> If you do want to fix it and only use windows (the zentyal DC is the
>> only Unix machine) then just remove the uidNumber & gidNumber
>> attributes, but you will need to fix file ownership.
>>
> Rowland,
>
> I don't have that many users and I really want to fix it, and I don't have a problem with fixing file ownership.
>
> You say "just remove the uidNumber & gidNumber attributes", does this mean that new IDs will be assigned automatically?
>
> And most important, can you tell me exactly how to do this (remove the uidNumber & gidNumber attributes), i.e what are the commands, I would really appreciate.
> Like I said in the initial post, I have little knowledge about Samba4.
>
> Clemente
Rowland,
Did you see my email?
I would really appreciate your answer and help.
Regards,
Clemente
More information about the samba
mailing list