[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers

Rowland Penny rpenny at samba.org
Wed Jan 17 09:46:57 UTC 2018 

On Wed, 17 Jan 2018 06:55:07 +0100
Prunk Dump via samba <samba at lists.samba.org> wrote:

> 2018-01-15 20:14 GMT+01:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> > On Mon, 15 Jan 2018 19:51:12 +0100
> > Prunk Dump via samba <samba at lists.samba.org> wrote:
> >
> >> Thank again for your help !
> >>
> >> 2018-01-12 21:26 GMT+01:00 Rowland Penny <rpenny at samba.org>:
> >> > The problem is, you are thinking in the wrong direction ;-)
> >> > If you give a user a uidNumber, or a group a gidNumber, these
> >> > will be used instead of the xidNumbers found in idmap.ldb, you
> >> > do not need to alter idmap.ldb at all.
> >> > The way ADUC works, is by using a couple of attributes, that, by
> >> > default Samba AD doesn't have. These are 'msSFU30MaxUidNumber' &
> >> > 'msSFU30MaxGidNumber' and they hold the next uidNumber &
> >> > gidNumber. They should be in:
> >> > dn:
> >> > CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
> >> >
> >> > Where 'samdom' is your lowercase workgroup and
> >> > 'DC=samdom,DC=example,DC=com' is your realm/dns domain.
> >> >
> >> > If you can write scripts, I am sure you can figure out how to use
> >> > them ;-)
> >> > If not, contact me off list and I will provide a sample.
> >>
> >> On my SAM database I have an CN=samdom,CN=ypservers entry :
> >>
> >> # ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
> >> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> >> # record 1
> >> dn:
> >> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> >> objectClass: top objectClass: msSFU30DomainInfo
> >> cn: fichnet
> >> instanceType: 4
> >> whenCreated: 20150630144502.0Z
> >> whenChanged: 20150630144502.0Z
> >> uSNCreated: 3768
> >> uSNChanged: 3768
> >> showInAdvancedViewOnly: TRUE
> >> name: fichnet
> >> objectGUID: e1b63980-512f-451b-a2d7-c4abdbb03a3c
> >> objectCategory:
> >> CN=msSFU-30-Domain-Info,CN=Schema,CN=Configuration,DC=net,DC=l
> >> yc-guillaume-fichet,DC=ac-grenoble,DC=fr msSFU30MasterServerName:
> >> FICHDC msSFU30OrderNumber: 10000
> >> msSFU30Domains: fichnet
> >> distinguishedName:
> >> CN=fichnet,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=Syste
> >> m,DC=net,DC=lyc-guillaume-fichet,DC=ac-grenoble,DC=fr
> >>
> >> But there is no msSFU30MaxUidNumber and msSFU30MaxGidNumber values.
> >
> > No there isn't, Samba doesn't add them, it adds everything else,
> > just not those two attributes. You need to add something like this:
> >
> > msSFU30MaxUidNumber: 10000
> > msSFU30MaxGidNumber: 10000
> >
> > Note, you will need to find the highest uidNumber and gidNumber,
> > add 1 to it and replace '10000' with these numbers.
> >
> >>
> >> Do you know if this current entry was created by samba or by some
> >> Windows administration tools ?
> >
> > Samba
> >
> >> Do you know if I need to add a class to add the msSFU30MaxUidNumber
> >> and msSFU30MaxGidNumber values ?
> >
> > No you don't need add any other objectclasses
> >
> >> (I don't know how to read schema specification directly inside the
> >> database)
> >>
> >> 2018-01-15 16:18 GMT+01:00 Kacper Wirski via samba
> >> <samba at lists.samba.org>:
> >> > Hello,
> >> > I understand the OP, I was asking some time ago similar question,
> >> > but it was in relation to samba domain member. I couldn't get
> >> > backend: ad to work for machine accounts, so i switched to idmap:
> >> > rid and it solved everything. I tried manually adding UID and GID
> >> > to Domain Computer group and to machine accounts, but it didn't
> >> > seem to work properly, so I gave up especially that RID was
> >> > perfectly fine.
> >>
> >> Thanks, but I also use the others rfc2307 attributes. Not only
> >> uidNumber and gidNumber. So I need to keep all the rfc2307 values
> >> updated and I can't switch to RID. Moreover, the file system is
> >> also exported by NFSv4 so I need consistant ID on all the
> >> databases/filesystems.
> >
> > You can add the required attributes with ldapmodify or ldbmodify,
> > as I said, I can supply sample scripts to show the basics.
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> Thanks !
> 
> Your solution worked like a charm ! There is also another benefit, I
> have now three distinct ranges for my IDs :
> 
> -> 3000000 - 3999999 for the xidNumbers ( when no rfc2307 id )
> -> 4000000 - 4999999 for the user rfc2307 uidNumber
> -> 5000000 - 5999999 for the group rfc2307 gidNumber
> 
> If someone is interested, here a part of the script I have used :
> 
> ###############################
> # get user rfc2307 attributes #
> ###############################
> 
> # get the new uid #
> userUid=$(ldbsearch -H $samDatabase -s base -b
> CN=$shortDomain,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$baseDN
> msSFU30MaxUidNumber | grep 'msSFU30MaxUidNumber:')
> if [ -z "$userUid" ]; then
>    userUid="$baseUid"
> else
>    userUid=$(echo $userUid | sed 's/^msSFU30MaxUidNumber: \(.*\)/\1/')
> fi
> 
> # get the gid #
> strgid=$(wbinfo --group-info="$pgroupName")
> userGid=$(echo $strgid | cut -d ":" -f 3)
> 
> 
> # create the user #
> samba-tool user create $userName --userou=$userDN --random-password \
> --profile-path="\\\\$accountServerDns$winProfilePath\\$pgroupNameR\\$userName"
> \
> --home-directory="\\\\$accountServerDns$winHomePath$winHomeDir\\$pgroupNameR\\$userName"
> \ --home-drive="$homeDrive" \
> --unix-home="/home$unixHomeDir/$pgroupNameR/$userName" \
> --uid-number="$userUid" \
> --gid-number="$userGid" \
> --login-shell="/bin/bash"
> 
>  set passwd #
> if [ -z "$userPasswd" ]; then
> # --must-change-at-next-login can cause problem with roaming profiles
>     samba-tool user setpassword $userName --newpassword=$userName
> else
>     samba-tool user setpassword $userName --newpassword=$userPasswd
> fi
> samba-tool user setexpiry --noexpiry $userName
> 
> 
> ############
> # next uid #
> ############
> nextUid=$((userUid+1))
> 
> echo "dn:
> CN=$shortDomain,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,$baseDN
> changetype: modify replace: msSFU30MaxUidNumber
> msSFU30MaxUidNumber: $nextUid" > /tmp/$userName
> 
> ldbmodify --url=$samDatabase -b $baseDN /tmp/$userName
> rm /tmp/$userName
> 
> 
> Thank you very much !
> 
> Baptiste.
> 

The only thing I would add is, you do not need to use different ranges
for users & groups. A user with the Unix UID '10000' will never be
mistaken for a group with the Unix GID '10000'

Rowland

More information about the samba mailing list