[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers

Mon Jan 15 15:18:57 UTC 2018

Hello,
I understand the OP, I was asking some time ago similar question, but it 
was in relation to samba domain member. I couldn't get backend: ad to 
work for machine accounts, so i switched to idmap: rid and it solved 
everything. I tried manually adding UID and GID to Domain Computer group 
and to machine accounts, but it didn't seem to work properly, so I gave 
up especially that RID was perfectly fine.

On samba AD DC idmapping is done automatically, that is if no UID/GID 
value is present in AD via RFC2307. I've noticed that samba by default 
assigns UID/GID from 300000 and just increments +1, and by default when 
setting

rfc2307 start form 10000, so within single DC there should be no problem 
unless you'll somehow manage to reach from 10000 to 300000 users.

The issue is keeping it in sync between multiple DC's (I ran into this 
issue some time ago). It might screw up Sysvol NT ACL if machine account 
receives different UID.

In my case I rarely use specific machine accounts in ACL for GPO's. And 
if a mix happens I would re-sync idmap.ldb.

I hope it helps.

W dniu 2018-01-15 o 15:05, Rowland Penny via samba pisze:
> On Mon, 15 Jan 2018 14:55:55 +0100
> Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
>> Mandi! L.P.H. van Belle via samba
>>    In chel di` si favelave...
>>
>>>> It is not the SYSTEM user (that is a local user to the
>>>> workstation, so clearly does not exist on the domain).
>>> Yes it does. Look at "Builtin\system"  which is also "NT
>>> Authority\System.
>> Ahem, clearly every machine (workstation, server; i suppose also the
>> domain) have a SYSTEM account, but they are ''different'':
>> MY_SERVER\SYSTEM, MY_DOMAIN\SYSTEM and KAIN\SYSTEM are different
>> account, and i think have not to be mapped each other...
>>
>>
>>>> But still windows workstation, when accessing some shares with the
>>>> SYSTEM user, try to logon with the machine account.
>>> Correct, thats by design, and if you get access denied, you did hit
>>> the "winbind" "user SYSTEM" bug(s). Fix, use acl_xattr:ignore
>>> system acl = yes for now.
>> ?! Reading the manpage:
>>
>>         acl_xattr:ignore system acls = [yes|no]
>>             When set to yes, a best effort mapping from/to the POSIX
>> ACL layer will not be done by this module. The default is no, which
>> means that Samba keeps setting and evaluating both the system ACLs
>> and the NT ACLs. This is better if you need your system ACLs be set
>> for local or NFS file access, too. If you only access the data via
>> Samba you might set this to yes to achieve better NT ACL
>> compatibility.
>>
>> seems me unrelated.
>>
>> What i'm speaking about is that, in Microsoft Server OS (and i suppose
>> on Samba too ;) access done by local SYSTEM user to a share, trigger
>> access via the respective machine account.
>> Some docs corroborate this:
>>
>> 	https://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx
>> 	The LocalSystem account is a predefined local account used by
>> 	the service control manager. [...]
>> 	It has extensive privileges on the local computer, and acts as
>> 	the computer on the network.
>>
>> 	https://msdn.microsoft.com/en-us/library/ms677973(VS.85).aspx
>> 	When a service runs under the LocalSystem account on a
>> computer that is a domain member, the service has whatever network
>> access is granted to the computer account, or to any groups of which
>> the computer account is a member.
>>
>> So, on samba, it is not (only) a matter of ACL: machine account have
>> to had an UID, to write (or read also...) to a share!
>>
>>
>> Probably i'm missing somethin really ''basic'', but seems obvious to
>> me... if i use rfc2307, in a domain member (if i use RID backend, or
>> if i'm in a domain controller, some sort of automatic mapping is in
>> place...) the only way to have non-anonymous access to shares by
>> local workstation SYSTEM account is to add UID to machine account...
>>
>>
>>>> If KAIN$ account have no UID (and 'Domain Computers' have no GID),
>>>> clearly share acess fail.
>>> No, the computer uses system, but if you test manualy it sets the
>>> computername.
>> No, sorry i've not understood what you mean...
>>
> 'SYSTEM' is a windows account, there is no concept of the 'SYSTEM'
> account on Unix, this includes Samba.
>
> Please read this:
>
> https://wiki.samba.org/index.php/The_SYSTEM_Account
>
> Rowland
>

-- 

Z poważaniem,
Kacper Wirski
tel. +48 608 421 424

tel:   + 48 22 637 50 01
fax:   + 48 22 637 50 04

Babka Medica Spółka z ograniczoną odpowiedzialnością Spółka komandytowa
ul. Słomińskiego 19 lok.517, 00-195 Warszawa
Sąd Rejonowy dla M.St. Warszawy w Warszawie  XII Wydział Gospodarczy KRS 
0000491764
NIP 525-234-00-28

www.babkamedica.pl <http://www.babkamedica.pl/>

----------------------------------------------------------------------------

Informacja zawarta w niniejszej korespondencji jest poufna. Korespondencja
skierowana jest wyłącznie do osoby (firmy) wymienionej wyżej.
Rozpowszechnianie, kopiowanie, ujawnianie lub przekazywanie osobom trzecim w
jakiejkolwiek formie informacji zawartych w niniejszym dokumencie w całości
lub w części jest zakazane bez uprzedniej pisemnej (pod rygorem nieważności)
zgody Babka Medica Sp. z o.o. Sp. k.