[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers

Rowland Penny rpenny at samba.org
Fri Jan 12 14:00:05 UTC 2018 

On Fri, 12 Jan 2018 14:23:36 +0100
Prunk Dump via samba <samba at lists.samba.org> wrote:

> Hi Samba team !
> 
> I have some conflicts between uid stored in the rfc2307 attributes and
> some local uid from idmap.ldb
> 
> My network :
> ------------------
> I have three samba AD DC with sysvol replication. Sadly, as I don't
> have some other machines, the three DC also share my user's Home and
> Profile directories. So I need at least :
> -> Builtin User/Group ID mapping between DCs (easy)
> -> Domain User/Group ID mapping between DCs
> -> Computer IDs that does not conflicts with the other ID
> (computer accounts are not used on the shares)
> 
> 
> How I currenly do :
> ---------------------------
> I don't use ADUC. So to create a new user :
> -> I use the samba-tool command always on the same DC (say DC1).
> -> One local xidNumber is generated in idmap.ldb
> -> So I take the xidNumber and I put it in the rfc2307 uidNumber
> attribute.
> 
> I do the same manner for creatings groups.
> 
> The problem come with the computer accounts of Windows machine.
> Because as the accounts are created from clients, I have no control on
> the ID generation.
> 
> 
> How the problem appear :
> -----------------------------------
> -> I create a user "myuser" on DC1.
> -> A local xidNumber = 3000025 (for example) is created locally and
> copied to the rfc2307 attributes.
> -> On the others DCs, there is no local xidNumber for "myuser" because
> the rfc2307 attribute is already set.
> -> Next I join a new Windows computer on the Domain.
> -> On DC1, no problem, the local xidNumber prevent conflict with the
> new created machine local ID
> -> But on DC2, sometimes, a local xidNumber of 3000025 (like myuser)
> is allocated for the new computer and myuser lost sometimes the access
> to the shares ( sometimes winbind say that the files are owned by
> "myuser", sometimes it say that they are owned by the machine).
> 
> Is there a way to say to Samba to use different ranges for user/group
> xidNumber and computer xidNumber ?
> 
> Does someone have an idea how to solve my problem ?
> 
> Thanks !
> 
> Baptiste.
> 

Why do you feel you have to have a Unix ID for a computer ?

Also using the xidNumber for the rfc2307 ID isn't a good idea,
partially for the reason you have found. The contents of idmap.ldb on
different DCs is highly likely to be different unless you sync
idmap.ldb from the first DC to all others.

Rowland

More information about the samba mailing list